table.pack and LOVE

[bartbes]

Be warned that TSerial allows for arbitrary code execution, so it might not be the best idea for networking.

[Sheepolution]

At what point can it be dangerous though?

As soon as I do Tserial.unpack(table)?

[Robin]

Yeah.

[Sheepolution]

But how? Variables älone can't do much right?

[Jasoco]

In Lua, everything is a variable. Including functions and tables and all can be inside each other.

[Lafolie]

It is possible to sandbox to an extent, you can create a safe environment using do-end blocks or using a set of rules defined by a function.

[bartbes]

Well, it uses [manual]loadstring[/manual] to unpack, which executes a string as code, so there you go.
Just to be clear, I'm not bashing TSerial, it's just that it's not meant for (safely) receiving things from outside of your "trusted zone".

[ArchAngel075]

My workaround will be to scan all incoming messages server side, and if the string contains "function" then it will error the game, i dont plan on trying to send functions of my own and so this will eliminate the security risk almost completely.

Im sure there might be a different way to protect from malicious code.

[Robin]

My workaround will be to scan all incoming messages server side, and if the string contains "function" then it will error the game, i dont plan on trying to send functions of my own and so this will eliminate the security risk almost completely.

Spoiler alert: you will get hacked. Blacklisting is not something you can prevent code injection with. Either use sandboxing or send JSON instead of Lua. I recommend the latter.

[kikito]

Which reminds me:

https://github.com/kikito/sandbox.lua

I have not announced it here because it's not yet 1.0, but it works quite nicely.