lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


Le Sun, 19 Jul 2015 11:24:07 +0200,
Dirk Laurie <dirk.laurie@gmail.com> a écrit :

> 2015-07-19 11:05 GMT+02:00 Egor Skriptunoff
> <egor.skriptunoff@gmail.com>:
> 
> > As Lua 5.2 and Lua 5.3 manuals say, "Maliciously crafted binary
> > chunks can crash the interpreter".
> > That's why additional argument was introduced in load() and
> > loadfile(): mode = "b" / "t" / "bt"
> > But why we do not have the same argument in require() ?
> > Maliciously crafted "crash.luac" file can be renamed to
> > "some_module.lua", and the interpreter will crash on
> > require("some_module") If it can be considered as security hole, we
> > definitely need an option to disable loading bytecode files in
> > require()
> 
> It's a security hole to allow "require", period. Maybe one could
> compile Lua with default path defined in luaconf.h to exclude
> directories to which the hacker might have write access and
> also modify loadlib.c so that environment variables are not
> queried. Maybe.
> 

It is a huge security hole with default searchers (or loaders in 5.1),
yes. I'll add that require can also load binary modules, so you don't
even need malicious bytecode to execute arbitrary code!

But, you can replace searchers with you own, that can olny load trusted
source code. See [1].

[1] http://www.lua.org/manual/5.3/manual.html#pdf-package.searchers