lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Hello Mike.
Mike Pall  wrote:

But I've found several postings in various forums which indicate
problems when you feed relative paths to LoadLibrary. Seems the
exact behaviour depends on the OS version and service level. The
general recommendation was to use GetFullPathName() and always
pass absolute paths to LoadLibrary() [possible FIX #1].

I agree that in WIndows one must always use absolute paths to be
safe. Sadly, GetFullPathName() genrates a name that is based on
the "current" directory.  So it does not gain you much.
Deriving names based on the directory component of
GetModuleFileName() (the "!" value) is a safe.

It would appear that the lastest change to LoadLibrary search
order reverts the search order the same as it was in Windows 3.1,
this was abandoned on the basis that it was both unmaintainable
and unsafe.

I've noted quite a few security related postings during my
search. Loading anything relative to the current directory is an
accident waiting to happen. It's far too easy for someone to mess
up their system or to fall prey to malicious code injection. Note
that even a seemingly innocent file open dialog may change the
current directory ...

Since we really, really want to avoid a later public outcry about
Lua being "unsafe" or a "security risk" I suggest to remove the
current directory from the search path for require(). Both on
Windows and on POSIX platforms [possible FIX #2].

I agree with this.

I think it also requires a string constant added to Lua (in windows)
which is the module directory derived from lua.exe or lua51.dll.
So the current "!" require() search paths is available as a string
for usage in loadlib(). e.g. _MODULEPATH=