In engine/luahandler.go, the sync.RWMutex protecting LoadCommonFunctions is released before L.Push() and L.PCall() execute. Since gopher-lua's LState is explicitly not goroutine-safe, concurrent requests race on the shared state causing Lua VM corruption. The Go race detector confirms this immediately under modest concurrency (ab -n 1000 -c 100).
Impact
Denial of service when using Lua + Algernon.
Patches
Has been patched in version 1.17.6.
Workarounds
Not that I know of.
References
#172
KatrielMoses Reporter
In engine/luahandler.go, the sync.RWMutex protecting LoadCommonFunctions is released before L.Push() and L.PCall() execute. Since gopher-lua's LState is explicitly not goroutine-safe, concurrent requests race on the shared state causing Lua VM corruption. The Go race detector confirms this immediately under modest concurrency (ab -n 1000 -c 100).
Impact
Denial of service when using Lua + Algernon.
Patches
Has been patched in version 1.17.6.
Workarounds
Not that I know of.
References
#172