[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: Re: ./?.lua in the default search path
- From: Matthew Wild <mwild1@...>
- Date: Sat, 30 May 2009 20:15:31 +0100
On Sat, May 30, 2009 at 8:04 PM, Florian Weimer <firstname.lastname@example.org> wrote:
> M Joonas Pihlaja's recent messages reminded me about a lingering issue
> in the standalone Lua interpreter (and perhaps also in embedded
> applications): "." is on the package path, which means that malicious
> scripts in the current script are picked up, even if you run a Lua
> program which is stored in a completely different directory.
Ha, good point. /me has some code to fix...
> I think this should be fixed. There are two different approaches:
> - Put "." at the end of the search path. On first sight, this means
> that unless the application tries to require a nonexistent module,
> it will always pick up system libraries first, and not something
> in the current directory. (Perl does this.) However, Lua
> processes the entire path twice if a native module is loaded, so
> that would have to be changed.
Yeah, I'm not a big fan of this. I'm not sure if the problem even
warrants a solution such as this one.
> - Instead of ".", use the path of the current script. (This is what
> Python does.) It seems that this is already implemented for
> Windows, but I'm not sure about that.
I would much prefer this solution, but I'm not sure how (or if) it can
be done in a portable fashion.