[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: os.execute is scary; Jay rants about strings again (was Re: [ANNOUNCE] lua stdlibs release: now Lua 5 compatible)
- From: Reuben Thomas <rrt@...>
- Date: Sat, 31 Jan 2004 01:12:14 +0100 (CET)
On Fri, 30 Jan 2004, Jay Carlson wrote:
> On Wed, 28 Jan 2004, Reuben Thomas wrote:
>
> > > os.execute and io.popen are scary functions. When using them, you have
> > > to be very certain about the contents of the strings being passed in.
> > > I'm going to pick on your code, since you were brave enough to post it,
> > > but this is an underlying problem many of us have run into. Me, I ran
> > > into it the hard way. It would be nice if we could solve it just once.
> >
> > I'm not sure it's wise to try. Better is to do one of two things: in the
> > case I've just outlined, it's better to use dirent functions (and more
> > portable, OS-wise, although admittedly it means you need poslib).
>
> Why's it in your std library then?
Because when I wrote it Lua 4 had recently come out, and poslib hadn't yet
been updated. Afterwards I never had reason to make it safe, as I was only
using it in hacky shell scripts.
> I think it's because sometimes it's useful to have a bare-Lua
> implementation of these things, especially given that in a lot of
> situations people don't have posix extensions built for their
> platform.
That's a good reason.
> Lua Cheia will help with this, but I'd really like there to
> be an answer, if reasonable, for people who just download the upstream
> C distribution and type make.
Fair enough. Anyway, if the Python people or whoever worked out a
bulletproof strategy, that's fine. I'm just worried that any solution
involving the shell will always have security problems. In that case, one
might as well be honest and really hacky, like me, rather than pretending
to have something that works.
> It's not too hard to do both, with a common interface.
I'm not sure whether to say "now you're talking" or "that's madness,
making something that really does work and something that is lunacy
papered over appear to be just two alternative implementations of the same
API".
> Anyway, I'm offering to write the hokey /bin/sh version if we can
> figure out the right API together. :-)
Hokey-cokey. I haven't really thought about that yet, but as I said
before, I think fundamentally it should be based on arrays of strings
(arguments in exec speak). Since I think the aim should be to pretend
you're not using the shell, how about first building exec and glob, and
then finding a convenient syntax for combining their use?
As to the environment, again, by default it should be bare, and you can
supply an environment if you want, like in execle.
So, unless you're trying to get fancy and allow something like
$-interpolation, the primitive would be something like execle:
execle (command[, arg_table[, env_table]])
You could then have wrappers in which the contents of arg_table (and
env_table?) were subject to globbing, interpolation et al.
Does that look reasonable? Similar to the POSIX call, simple to describe,
fairly convenient. I'm sure that in my enthusiasm I've forgotten something
important from one of your earlier examples...
> Hm. Now that I looked, between poslib and lposix, I don't see any way
> of manipulating file descriptors. Ugh.
Oops. But that's something to be added.
> I'm just trying to figure out what minimal support is needed at the
> language level to let people write their own mechanisms....
Not something to worry about while designing a library as above; it's an
interesting question in its own right. Really, interpolation like that is
a more sophisticated form of the little languages you get in printf
(string.format) and the like. But do you really need any support in Lua
itself? I doubt it.
--
http://www.mupsych.org/~rrt/ | resident, a. unable to leave (Bierce)
