lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


On 5 November 2013 01:13, Leo Razoumov <slonik.az@gmail.com> wrote:
> I just tried to install the latest luarocks from the Github repo
> master (SHA1: 143cc28429)
> on the Mac OSX 10.6.8 (Snow Leopard). 'make build' resulted in error
> ...
> '/pkg/lua-5.1.5.LR3-mac/bin/lua' -e "package.path=[[`echo "$PWD" | sed
> -e 's/\([][]\)\1/]]..'\''\1\1'\''..[[/g' -
> `/src/?.lua;]]..package.path" src/bin/luarocks make rockspec
> --tree="/pkg/lua-5.1.5.LR3-mac"
> sed: -: No such file or directory
> ...
>
> which I was able to trace to a complex and fragile definition of
> SAFEPWD variable in the main Makefile.
>
> SAFEPWD=`echo "$$PWD" | sed -e 's/\([][]\)\1/]]..'\''\1\1'\''..[[/g' -`
>
> Removing this variable and replacing it with a regular $$PWD solved the problem.
>
> I am curious, what's the point of sanitizing PWD value?
> Is it an attempt to prevent malicious use of path names:-)

Yes, because the path is concatenated into a Lua string which is
evaluated during "make install", which often runs with root
permissions... so we thought we'd be overcautious with that. I'm not
good at imagining black-hat scenarios, but you never know how those
crafty people could come up with a directory name called
"/home/user/foo]];os.execute('evil');x=[[bar"...

-- Hisham