[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: collectargs behaviour on argc==0
- From: Roberto Ierusalimschy <roberto@...>
- Date: Thu, 27 Jan 2022 12:40:54 -0300
> lua.c collectargs seems to assume that argv has at least one element
> (the binary's name, by convention). As people have recently
> (re)discovered, some OSes (e.g. Linux) don't guarantee that [0] which
> enables up some attack vectors [1]. I don't think many people run
> standalone Lua setuid, but you might want to check for this anyway for
> correctness.
Many thanks for the report.
-- Roberto
