lua-symmetric

Symmetric crypto for Lua
Log | Files | Refs

commit c99a5ad4ebe69b6c23e01d19fd704f2e3badbc41
parent 2c54b242b2068eace8eaaebe2ffb00d0f2fc5ffb
Author: Michael Savage <mikejsavage@gmail.com>
Date:   Mon, 16 Feb 2015 21:17:20 +0000

Add security note

Diffstat:
README.md | 15++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md @@ -42,7 +42,16 @@ Usage Security concerns ----------------- -Lua will keep plaintext messages and encryption keys around in memory as -part of its string interning mechanism. As far as I'm aware, there's -nothing I can do about this. +Generated keys and ciphertexts will use the full range of ASCII values. +They should be handled with care - displaying them as-is can introduce +subtle flaws. For example, keys and ciphertexts can contain quotes, +which makes them unsafe to insert into SQL queries<sup>1</sup>, HTML and +JSON. If in doubt, base64/hex encode them. +[sql]: http://dc406.com/home/393-sql-injection-with-raw-md5-hashes.html + +<sup>1</sup>: [SQL injection with MD5 hashes][sql] + +Additionally, Lua will keep plaintext messages and encryption keys +around in memory as part of its string interning mechanism. As far as +I'm aware, there's nothing I can do about this.