From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <v.perepelitsa@corp.mail.ru>
Received: from smtp57.i.mail.ru (smtp57.i.mail.ru [217.69.128.37])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by dev.tarantool.org (Postfix) with ESMTPS id CF0C2469710
 for <tarantool-patches@dev.tarantool.org>;
 Thu, 26 Nov 2020 19:01:35 +0300 (MSK)
References: <20201119194100.840495-1-gorcunov@gmail.com>
 <20201119194100.840495-4-gorcunov@gmail.com>
 <1670ea9e-ebd6-771b-e3ec-d9edc97d461a@corp.mail.ru>
 <20201126144422.GC1231860@grain>
From: Mons Anderson <v.perepelitsa@corp.mail.ru>
Message-ID: <d3f55cb2-4390-e120-bd70-5697a5d277ce@corp.mail.ru>
Date: Thu, 26 Nov 2020 19:01:33 +0300
MIME-Version: 1.0
In-Reply-To: <20201126144422.GC1231860@grain>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Subject: Re: [Tarantool-patches] [RFC 3/4] cfg: prepare symbolic evaluation
 of replication_synchro_quorum
List-Id: Tarantool development patches <tarantool-patches.dev.tarantool.org>
List-Unsubscribe: <https://lists.tarantool.org/mailman/options/tarantool-patches>, 
 <mailto:tarantool-patches-request@dev.tarantool.org?subject=unsubscribe>
List-Archive: <https://lists.tarantool.org/pipermail/tarantool-patches/>
List-Post: <mailto:tarantool-patches@dev.tarantool.org>
List-Help: <mailto:tarantool-patches-request@dev.tarantool.org?subject=help>
List-Subscribe: <https://lists.tarantool.org/mailman/listinfo/tarantool-patches>, 
 <mailto:tarantool-patches-request@dev.tarantool.org?subject=subscribe>
To: Cyrill Gorcunov <gorcunov@gmail.com>
Cc: tarantool-patches@dev.tarantool.org

Some feedback on behalf of Vlad Grubov:

Quote:

     Good idea, but it is not secure to export whole math to the 
configuration. User must not have access to math table itself because it 
can modify it's function which will take effect through entire 
application.    Moreover user must not have access to math.randomseed 
for security reasons. User is allowed to have access to ceil, floor, 
min, max, fmod, random, abs, sqrt.

So, I'd chande setfenv with:


setfenv(f, { N = %d, math = { ceil = math.ceil, floor = math.floor, abs 
= math.abs,
     random = math.random, min = math.min,  max = math.abs,
     sqrt = math.sqrt, fmod = math.fmod  } })



On 26.11.2020 17:44, Cyrill Gorcunov wrote:
> On Thu, Nov 26, 2020 at 05:38:32PM +0300, Mons Anderson wrote:
>> For the formula evaluation I'd propose the following snippet:
>>
>> local expr = [[%s]]
>> local f, err = loadstring('return ('..expr..')')
>> if not f then error(string.format('Failed to load %%s: %%s',expr, err)) end
>> setfenv(f, { N = %d, math = math })
>> return math.floor( f() )
> Will do. And will address the rest of comments. Thanks
> for feedback!