Re: Discover default package.path, package.cpath?

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: Discover default package.path, package.cpath?
From: Muh Muhten <muh.muhten@...>
Date: Fri, 4 Jan 2019 02:40:23 -0500

On 1/3/19, nobody <nobody+lua-list@afra-berlin.de> wrote:
> On 03/01/2019 23.09, Norman Ramsey wrote:
>> I suppose I can simply cause my code to crash if any of the sensitive
>> environment variables are set.  Inconvenient, but safe.
>
> LUA_INIT can re-define os.getenv to always pretend that LUA_INIT*,
> LUA_*PATH* etc. are absent.  (LUA_INIT can re-define absolutely anything
> and do whatever it wants… it could easily wrap debug.sethook,
> debug.getinfo etc. and deliver the fantasy that you want to believe in.)

Your program can even be run under an interpreter that ignores it and
runs a different program entirely; LUA_INIT is arbitrary code
execution already.

What are you trying to prevent? What are you trying to protect?

Follow-Ups:
- Re: Discover default package.path, package.cpath?, Roberto Ierusalimschy

References:
- Discover default package.path, package.cpath?, Norman Ramsey
- Re: Discover default package.path, package.cpath?, Sean Conner
- Re: Discover default package.path, package.cpath?, Norman Ramsey
- Re: Discover default package.path, package.cpath?, nobody

Prev by Date: Re: Discover default package.path, package.cpath?
Next by Date: Is LuaJIT project dead ?
Previous by thread: Re: Discover default package.path, package.cpath?
Next by thread: Re: Discover default package.path, package.cpath?
Index(es):
- Date
- Thread