lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

On 1/3/19, nobody <> wrote:
> On 03/01/2019 23.09, Norman Ramsey wrote:
>> I suppose I can simply cause my code to crash if any of the sensitive
>> environment variables are set.  Inconvenient, but safe.
> LUA_INIT can re-define os.getenv to always pretend that LUA_INIT*,
> LUA_*PATH* etc. are absent.  (LUA_INIT can re-define absolutely anything
> and do whatever it wants… it could easily wrap debug.sethook,
> debug.getinfo etc. and deliver the fantasy that you want to believe in.)

Your program can even be run under an interpreter that ignores it and
runs a different program entirely; LUA_INIT is arbitrary code
execution already.

What are you trying to prevent? What are you trying to protect?