[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: Bug: long strings with REALLY long delimiters …
- From: David Favro <lua@...>
- Date: Thu, 13 Dec 2018 22:09:27 +0000
On December 13, 2018 9:43:33 PM UTC, Coda Highland <chighland@gmail.com> wrote:
>On Thu, Dec 13, 2018 at 3:32 PM David Favro <lua@meta-dynamic.com>
>wrote:
>
>>
>>
>>
>> On December 13, 2018 9:01:52 PM UTC, Egor Skriptunoff
>> <egor.skriptunoff@gmail.com> wrote:
>> >On Thu, Dec 13, 2018 at 7:15 PM Roberto Ierusalimschy wrote:
>> >> it seems easier to just
>> >> limit the maximum number of '=' in a long bracket. I don't think
>> >people
>> >> will mind a limit of 1000.
>> >
>> >IMO, it's not a good idea.
>> >If this limit is N, then minimal size of non-quotable string is
>about
>> >0.5*N^2
>>
>> What's a "non-quotable string"?
>>
>> Am I missing something or can't any string be represented as a
>literal with
>> e.g. double-quote (") as delimiter and appropriate escaping of
>special
>> characters? If so, I don't see your definition of "non-quotable",
>could you
>> elaborate?
>>
>
>
>You're missing that Lua has another form of string literal (sometimes
>called "raw" strings) that treats its contents as verbatim instead of
>requiring special characters to be escaped. In this context,
>"non-quotable" means "a string that cannot be expressed using a raw
>string literal".
>
>/s/ Adam
Yes, I kind of assumed that, perhaps I was being a little rhetorical, but I don't think that "non-quotable" is remotely an accurate description of such a string, not what people would normally assume that the phrase means, even in the context of a mailing-list thread on long-strings. And, while I've no idea what Egor meant about vulnerabilities surrounding them, I am imagining some kind of issue with a serialization library that tries to represent strings in the VM as Lua string literals for external storage being fed unquotable strings. In my experience, such libraries don't use long-strings and I don't think that string.format()'s %q does either. My point being that *any* string can be represented as a "quoted" Lua string literal, so I still ask for clarification what does "non-quotable" mean in this context, and why would such a string pose a vulnerability?