lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

On Sat, May 30, 2009 at 8:04 PM, Florian Weimer <> wrote:
> M Joonas Pihlaja's recent messages reminded me about a lingering issue
> in the standalone Lua interpreter (and perhaps also in embedded
> applications): "." is on the package path, which means that malicious
> scripts in the current script are picked up, even if you run a Lua
> program which is stored in a completely different directory.

Ha, good point. /me has some code to fix...

> I think this should be fixed.  There are two different approaches:
>  - Put "." at the end of the search path.  On first sight, this means
>    that unless the application tries to require a nonexistent module,
>    it will always pick up system libraries first, and not something
>    in the current directory.  (Perl does this.)  However, Lua
>    processes the entire path twice if a native module is loaded, so
>    that would have to be changed.

Yeah, I'm not a big fan of this. I'm not sure if the problem even
warrants a solution such as this one.

>  - Instead of ".", use the path of the current script.  (This is what
>    Python does.) It seems that this is already implemented for
>    Windows, but I'm not sure about that.

I would much prefer this solution, but I'm not sure how (or if) it can
be done in a portable fashion.