lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

M Joonas Pihlaja's recent messages reminded me about a lingering issue
in the standalone Lua interpreter (and perhaps also in embedded
applications): "." is on the package path, which means that malicious
scripts in the current script are picked up, even if you run a Lua
program which is stored in a completely different directory.

I think this should be fixed.  There are two different approaches:

  - Put "." at the end of the search path.  On first sight, this means
    that unless the application tries to require a nonexistent module,
    it will always pick up system libraries first, and not something
    in the current directory.  (Perl does this.)  However, Lua
    processes the entire path twice if a native module is loaded, so
    that would have to be changed.

  - Instead of ".", use the path of the current script.  (This is what
    Python does.) It seems that this is already implemented for
    Windows, but I'm not sure about that.