[library] binser - Customizable Lua Serializer

[bakpakin]

Because serializing functions is inherently unsafe, because the function could be malicious.

EDIT: After reading up more on loadstring, I realize that loadstring already does all of the below. All code is only compiled, not executed. You're completely right and I'm make something out of nothing. My bad, I'm wrong, mea culpa. Read and think before you post, people!

With my proposed method, one could deserialize the function without worrying about malicious code being called automatically. It would be then up to the user to make sure their data is what they expected. By naively calling loadstring on anything that claims to be a function during deserialization, evil code would execute without the user explicitly calling it. But any code within a function scope in lua is only compiled with loadstring, not executed. If the user decides to deserialize a function and execute it, you're right, there is no way to make it safe. I hope this makes sense.

[bakpakin]

Just finished changing number serialization / deserialization to truly binary form. No more string.format for numbers. The implementation I modified was from lua-MessagePack, which I actually had to correct because it did not handle all numbers. Code is on github like usual.

It should work on Lua compiled with single precision numbers instead of double precision numbers, but I'm not sure.

This doesn't significantly change the benchmark numbers, because most numbers in the benchmarks are small numbers stored in single bytes. It does, however, make serialized data much more compact, especially anything with lots of numbers, like meshes or level data.

[bakpakin]

Just an update, I've now added resources and function serialization to binser.

[prixt]

Can binser serialize weak tables?