Re: Loading bytecode in require()

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: Loading bytecode in require()
From: Julien Desgats <julien+lua@...>
Date: Sun, 19 Jul 2015 12:15:58 +0200

Le Sun, 19 Jul 2015 11:24:07 +0200,
Dirk Laurie <dirk.laurie@gmail.com> a écrit :

> 2015-07-19 11:05 GMT+02:00 Egor Skriptunoff
> <egor.skriptunoff@gmail.com>:
> 
> > As Lua 5.2 and Lua 5.3 manuals say, "Maliciously crafted binary
> > chunks can crash the interpreter".
> > That's why additional argument was introduced in load() and
> > loadfile(): mode = "b" / "t" / "bt"
> > But why we do not have the same argument in require() ?
> > Maliciously crafted "crash.luac" file can be renamed to
> > "some_module.lua", and the interpreter will crash on
> > require("some_module") If it can be considered as security hole, we
> > definitely need an option to disable loading bytecode files in
> > require()
> 
> It's a security hole to allow "require", period. Maybe one could
> compile Lua with default path defined in luaconf.h to exclude
> directories to which the hacker might have write access and
> also modify loadlib.c so that environment variables are not
> queried. Maybe.
> 

It is a huge security hole with default searchers (or loaders in 5.1),
yes. I'll add that require can also load binary modules, so you don't
even need malicious bytecode to execute arbitrary code!

But, you can replace searchers with you own, that can olny load trusted
source code. See [1].

[1] http://www.lua.org/manual/5.3/manual.html#pdf-package.searchers

Follow-Ups:
- Re: Loading bytecode in require(), Egor Skriptunoff

References:
- Loading bytecode in require(), Egor Skriptunoff
- Re: Loading bytecode in require(), Dirk Laurie

Prev by Date: Re: Patterns: Why are anchors not character classes?
Next by Date: Re: Loading bytecode in require()
Previous by thread: Re: Loading bytecode in require()
Next by thread: Re: Loading bytecode in require()
Index(es):
- Date
- Thread