TL DR: How to verify that a selector with a given name was registered without actually registering it?
Thanks!
Hi, I have an Objective-C application and many NSObjects that are exported to Lua state through a simple proxy library written in objc. All Lua calls, such as:
exported_objc_object:myMethodName(...) -- same as -- exported_objc_object.myMethodName(exported_objc_object, ...) -- same as -- key = 'myMethodName' exported_objc_object[key](exported_objc_object, ...)
are redirected as if someone were calling:
[objc_object lua_myMethodName:L];
In fact, any get operation code on a Lua-exported object returns a cached Lua closure that, when called, calls the corresponding Objective-C method through a selector built using sprintf(s, "lua_%s:", key)) && & sel_getUid(s) (all checks are included). If the created selector is not implemented in terms of -[respondsToSelector:] , then exported_objc_object.myMethodName simply returns nil .
Obviously, the proxy library should do a dynamic search through sel_getUid() or sel_registerName() (I believe that both @selector and NSSelectorFromString() also there). The manual states that sel_getUid() intended for search selector names (as opposed to registering them immediately in the SEL register), but now the modern implementation now does the same as sel_registerName() due to errors in one of the codez then.
I can just stick to the behavior of sel_registerName() , but this leaves the attack vector with memory, as some malicious scripts can start searching for long random / invalid selectors via sml object[makeRandomKey()] in the loop, thereby overflowing the SEL register forever. If sel_getUid() worked as planned, the proxy library could check for the presence of the selector and only then check if the object is responding to it, without excessive registration. But this is not so.