[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: ./?.lua in the default search path
- From: Florian Weimer <fw@...>
- Date: Sat, 30 May 2009 21:04:04 +0200
M Joonas Pihlaja's recent messages reminded me about a lingering issue
in the standalone Lua interpreter (and perhaps also in embedded
applications): "." is on the package path, which means that malicious
scripts in the current script are picked up, even if you run a Lua
program which is stored in a completely different directory.
I think this should be fixed. There are two different approaches:
- Put "." at the end of the search path. On first sight, this means
that unless the application tries to require a nonexistent module,
it will always pick up system libraries first, and not something
in the current directory. (Perl does this.) However, Lua
processes the entire path twice if a native module is loaded, so
that would have to be changed.
- Instead of ".", use the path of the current script. (This is what
Python does.) It seems that this is already implemented for
Windows, but I'm not sure about that.