lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

It was thus said that the Great Augusto Stoffel once stated:
> One could argue that these are packaging bugs and should be solved
> downstream, but perhaps Lua should be more helpful?  For instance, it
> could include a "--safe-paths" switch to disable lookup in the current
> directory, or maybe even have the opposite behavior, i.e. add a switch
> to allow requiring modules from "./".
> What do you think?

  There are several options that can be done now.  One is to define the
environment variables LUA_PATH and LUA_CPATH [1] to only contain paths you
trust.  You can modify the package.path and package.cpath in a script
referenced by LUA_INIT.  Or you could recompile Lua and define
LUA_PATH_DEFAULT and LUA_CPATH_DEFAULT to have the paths you desire.  As an

	% make MYCFLAGS='-DLUA_PATH_DEFAULT="\"/usr/local/share/lua/5.4/?.lua\""'
	% src/lua
	Lua 5.4.4  Copyright (C) 1994-2022, PUC-Rio
	> print(package.path)

  Also, malicious code could always modify package.path and package.cpath to
include the current directory.  


[1]	There are also the version specific versions: