[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: Loading bytecode in require()
- From: Egor Skriptunoff <egor.skriptunoff@...>
- Date: Sun, 19 Jul 2015 12:05:17 +0300
As Lua 5.2 and Lua 5.3 manuals say, "Maliciously crafted binary chunks can crash the interpreter".
That's why additional argument was introduced in load() and loadfile():
mode = "b" / "t" / "bt"
But why we do not have the same argument in require() ?
Maliciously crafted "crash.luac" file can be renamed to "some_module.lua", and the interpreter will crash on require("some_module")
If it can be considered as security hole, we definitely need an option to disable loading bytecode files in require()