Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Is binser safe? #20

Open
jtackaberry opened this issue Jan 4, 2021 · 1 comment
Open

Is binser safe? #20

jtackaberry opened this issue Jan 4, 2021 · 1 comment

Comments

@jtackaberry
Copy link

The README says that binser "does not [...] use the Lua parser to read expressions" and that "[t]his makes it safe."

But the deserializer uses loadstring() for functions.

Doesn't this mean that binser is in fact not safe? Perhaps deserialize() could take an argument to enable the non-safe behavior of deserializing functions?
@pakeke-constructor
Copy link

pakeke-constructor commented Nov 28, 2021
edited
Loading

Loadstring will load the lua code, but not run anything.

If you did loadstring(code)(), then this could be very bad, as the lua code inside code would be executed.

(So to answer your question, Yes, binser is safe)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jtackaberry @pakeke-constructor