lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index] 

Hello Mike,

Tuesday, December 5, 2006, 12:53:13 AM, you wrote:

MP> Since we really, really want to avoid a later public outcry about
MP> Lua being "unsafe" or a "security risk" I suggest to remove the
MP> current directory from the search path for require(). Both on
MP> Windows and on POSIX platforms [possible FIX #2].

I agree with you. Current directory in the search path for require()
is "unsafe" , just like microsoft think loading a dll from current
directory is unsafe .

MP> This also avoids the above problem of course. But the main
MP> consequence is that you _must_ install modules to be loaded with
MP> require() into a directory in the Lua module search path. Anyone
MP> can override the behaviour by setting LUA_PATH or LUA_CPATH or
MP> editing luaconf.h. But he/she does so at his/her own risk (e.g.
MP> only during development).

How about adding a new mark to indicate the full path at the
beginning ? Unlike the "current path", it will not be changed.

MP> Note: the current directory still works for scripts loaded with
MP> dofile("foo.lua") or on the command line with 'lua foo.lua'.

Yeah, we should remember the full path beginning for scripts loaded with dofile.
Using the code in current directory is unsafe for the same reason.


-- 
Best regards,
 Cloud                            mailto:cloudwu@163.com
            http://blog.codingnow.com

[为你的免疫力着想, 还是迎接挑战吧!]