Re: Loading bytecode in require()

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: Loading bytecode in require()
From: Dirk Laurie <dirk.laurie@...>
Date: Sun, 19 Jul 2015 11:24:07 +0200

2015-07-19 11:05 GMT+02:00 Egor Skriptunoff <egor.skriptunoff@gmail.com>:

> As Lua 5.2 and Lua 5.3 manuals say, "Maliciously crafted binary chunks can
> crash the interpreter".
> That's why additional argument was introduced in load() and loadfile():
> mode = "b" / "t" / "bt"
> But why we do not have the same argument in require() ?
> Maliciously crafted "crash.luac" file can be renamed to "some_module.lua",
> and the interpreter will crash on require("some_module")
> If it can be considered as security hole, we definitely need an option to
> disable loading bytecode files in require()

It's a security hole to allow "require", period. Maybe one could
compile Lua with default path defined in luaconf.h to exclude
directories to which the hacker might have write access and
also modify loadlib.c so that environment variables are not
queried. Maybe.

Follow-Ups:
- Re: Loading bytecode in require(), Julien Desgats

References:
- Loading bytecode in require(), Egor Skriptunoff

Prev by Date: Loading bytecode in require()
Next by Date: Re: Patterns: Why are anchors not character classes?
Previous by thread: Loading bytecode in require()
Next by thread: Re: Loading bytecode in require()
Index(es):
- Date
- Thread