[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: Security considerations around package.{path,cpath}
- From: Augusto Stoffel <arstoffel@...>
- Date: Sat, 03 Dec 2022 00:19:22 +0100
Hi Sean,
On Fri, 2 Dec 2022 at 17:46, Sean Conner wrote:
> There are several options that can be done now. One is to define the
> environment variables LUA_PATH and LUA_CPATH [1] to only contain paths you
> trust. You can modify the package.path and package.cpath in a script
> referenced by LUA_INIT. Or you could recompile Lua and define
> LUA_PATH_DEFAULT and LUA_CPATH_DEFAULT to have the paths you desire.
Yes, there are of course various ways in which an individual user can
fix this, but the point is that Lua should be safe by default. In
particular, if I distribute a package via LuaRocks or CTAN, or a Linux
distro, I'd like to have some assurance that it will be safe for a user
who is not aware of the gory details (and perhaps not even aware of the
programming language my package is written in).
> Also, malicious code could always modify package.path and package.cpath to
> include the current directory.
Under the assumption that the code installed under system directories is
safe, this should hopefully not be possible (barring some bug).