lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


On Sunday, July 19, 2015 01:52:26 PM Egor Skriptunoff wrote:
> Yes, possibility of loading native machine code in require() should also be
> disableable:
> mode = "t" / "b" / "n" / "tbn"

As was mentioned, you can put a custom function in package.searchers that will 
reject untrusted files. The third and fourth default searcher handles native 
libraries, so to reject those just set `package.searchers[3] = 
nil;package.searchers[4] = nil` To filter compiled lua you can wrap the second 
loader with

    local luasearcher = package.searchers[2]
    package.searchers[2] = function(mod)
        local loader, filename = luasearcher(mod)
        if filename then
            local luafile = io.open(filename)
            if luafile:read(4) == "\27Lua" then
              return nil
            end
            luafile:close()
        end
        return loader, filename
    end

But I don't know why you'd really want to do that. Require is assumed to be 
operating on trusted code so there's no need for safeguards. It is not typical 
for user-supplied files to be loaded that way. If you don't trust it, use 
loadfile and lock it in a sandbox.

If an attacker is able to create untrusted files to be loaded by require then 
it's likely he's able to create any file. Then there's no protection from 
forbidding binary loads as the text of the required file could be 
`loadfile("/tmp/binarypayload.lua","b")`

Or, extra files aren't even needed. You can write the binary payload into a 
string and call `load(stringpayload, nil, "b")` Unless you remove load from 
the global environment. How many third-party modules will that break? Probably 
not many, to be honest. But if you're going to that extent you may as well 
just set up a proper sandboxing framework and load untrusted files manually 
instead of with require.

-- 
tom <telliamed@whoopdedo.org>