[Tarantool-patches] [RFC 3/4] cfg: prepare symbolic evaluation of replication_synchro_quorum
Mons Anderson
v.perepelitsa at corp.mail.ru
Thu Nov 26 19:01:33 MSK 2020
Some feedback on behalf of Vlad Grubov:
Quote:
Good idea, but it is not secure to export whole math to the
configuration. User must not have access to math table itself because it
can modify it's function which will take effect through entire
application. Moreover user must not have access to math.randomseed
for security reasons. User is allowed to have access to ceil, floor,
min, max, fmod, random, abs, sqrt.
So, I'd chande setfenv with:
setfenv(f, { N = %d, math = { ceil = math.ceil, floor = math.floor, abs
= math.abs,
random = math.random, min = math.min, max = math.abs,
sqrt = math.sqrt, fmod = math.fmod } })
On 26.11.2020 17:44, Cyrill Gorcunov wrote:
> On Thu, Nov 26, 2020 at 05:38:32PM +0300, Mons Anderson wrote:
>> For the formula evaluation I'd propose the following snippet:
>>
>> local expr = [[%s]]
>> local f, err = loadstring('return ('..expr..')')
>> if not f then error(string.format('Failed to load %%s: %%s',expr, err)) end
>> setfenv(f, { N = %d, math = math })
>> return math.floor( f() )
> Will do. And will address the rest of comments. Thanks
> for feedback!
More information about the Tarantool-patches
mailing list