[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: Security considerations around package.{path,cpath}
- From: Sean Conner <sean@...>
- Date: Fri, 2 Dec 2022 17:46:44 -0500
It was thus said that the Great Augusto Stoffel once stated:
>
> One could argue that these are packaging bugs and should be solved
> downstream, but perhaps Lua should be more helpful? For instance, it
> could include a "--safe-paths" switch to disable lookup in the current
> directory, or maybe even have the opposite behavior, i.e. add a switch
> to allow requiring modules from "./".
>
> What do you think?
There are several options that can be done now. One is to define the
environment variables LUA_PATH and LUA_CPATH [1] to only contain paths you
trust. You can modify the package.path and package.cpath in a script
referenced by LUA_INIT. Or you could recompile Lua and define
LUA_PATH_DEFAULT and LUA_CPATH_DEFAULT to have the paths you desire. As an
example:
% make MYCFLAGS='-DLUA_PATH_DEFAULT="\"/usr/local/share/lua/5.4/?.lua\""'
% src/lua
Lua 5.4.4 Copyright (C) 1994-2022 Lua.org, PUC-Rio
> print(package.path)
/usr/local/share/lua/5.4/?.lua
>
Also, malicious code could always modify package.path and package.cpath to
include the current directory.
-spc
[1] There are also the version specific versions:
LUA_PATH_5_2 LUA_CPATH_5_2
LUA_PATH_5_3 LUA_CPATH_5_3
LUA_PATH_5_4 LUA_CPATH_5_4
