[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: Loading bytecode in require()
- From: Tom N Harris <whoopdedo@...>
- Date: Sun, 19 Jul 2015 15:15:59 -0400
On Sunday, July 19, 2015 01:52:26 PM Egor Skriptunoff wrote:
> Yes, possibility of loading native machine code in require() should also be
> disableable:
> mode = "t" / "b" / "n" / "tbn"
As was mentioned, you can put a custom function in package.searchers that will
reject untrusted files. The third and fourth default searcher handles native
libraries, so to reject those just set `package.searchers[3] =
nil;package.searchers[4] = nil` To filter compiled lua you can wrap the second
loader with
local luasearcher = package.searchers[2]
package.searchers[2] = function(mod)
local loader, filename = luasearcher(mod)
if filename then
local luafile = io.open(filename)
if luafile:read(4) == "\27Lua" then
return nil
end
luafile:close()
end
return loader, filename
end
But I don't know why you'd really want to do that. Require is assumed to be
operating on trusted code so there's no need for safeguards. It is not typical
for user-supplied files to be loaded that way. If you don't trust it, use
loadfile and lock it in a sandbox.
If an attacker is able to create untrusted files to be loaded by require then
it's likely he's able to create any file. Then there's no protection from
forbidding binary loads as the text of the required file could be
`loadfile("/tmp/binarypayload.lua","b")`
Or, extra files aren't even needed. You can write the binary payload into a
string and call `load(stringpayload, nil, "b")` Unless you remove load from
the global environment. How many third-party modules will that break? Probably
not many, to be honest. But if you're going to that extent you may as well
just set up a proper sandboxing framework and load untrusted files manually
instead of with require.
--
tom <telliamed@whoopdedo.org>