lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

It was thus said that the Great Norman Ramsey once stated:
> From within a Lua process that has already launched, is there a way to
> discover the *default* paths, especially package.cpath?
> Context: I have to treat the LUA_CPATH environment variable as if it
> were controlled by an adversary, and I do not have the ability to
> launch Lua with the -E option.  My choices will be either to put some
> kind of wrapper around my Lua binary or to launch a separate process
> to determine the default path.  Neither of these choices is ideal.
> A solution for 5.1 would be perfect, but if it's doable even using a
> later version, I might be able to retrofit.  

  First, what is your thread model?  Is it *just* LUA_CPATH and not
LUA_PATH?  Or LUA_INIT?  If it's just to prevent an adversary from loading a
custom version of a C-based module, all they need to do is call
package.loadlib() directly to load a C-based module.

  Second, is modifying Lua an option?  If so, you could always modify
loadlib.c:setpath() to not query LUA_CPATH (and even LUA_PATH) and to
prevent package.loadlib() from being included in the Lua state.  But there
might be more you will have to do depending upon your threat model.

  -spc (Did I just say "threat model?"  Sheesh ... )