lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

2015-07-19 11:05 GMT+02:00 Egor Skriptunoff <>:

> As Lua 5.2 and Lua 5.3 manuals say, "Maliciously crafted binary chunks can
> crash the interpreter".
> That's why additional argument was introduced in load() and loadfile():
> mode = "b" / "t" / "bt"
> But why we do not have the same argument in require() ?
> Maliciously crafted "crash.luac" file can be renamed to "some_module.lua",
> and the interpreter will crash on require("some_module")
> If it can be considered as security hole, we definitely need an option to
> disable loading bytecode files in require()

It's a security hole to allow "require", period. Maybe one could
compile Lua with default path defined in luaconf.h to exclude
directories to which the hacker might have write access and
also modify loadlib.c so that environment variables are not
queried. Maybe.