[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: Re: [ANN] Lua 5.3.0 (work3) now available
- From: Andrew Starks <andrew.starks@...>
- Date: Sun, 22 Jun 2014 19:12:24 -0500
On Sunday, June 22, 2014, Thijs Schreijer <firstname.lastname@example.org> wrote:
BTW great to see the default package paths updated!
Though I still think that the `!\?.dll` and `.\?.dll` c-paths should be removed, because they make it too easy for the casual user to put dll's into the system path (where other executables are also looking and might load them accidentally, as is the nature of Windows)
5.3 work3 package.cpath;
The regular path has the `lua` subdirectory of the executable directory; `!\lua\?.lua`. Can't a similar subdirectory for clibs be added? So the dll's stay out of the system path, while the interpreter itself is in the system path.
Obviously anyone could override it at any time, but imo at least the defaults should be as safe as possible.
I lack an opinion about .\?.dll.
I think that !\?.dll should stay. This is the way that Windows works, regardless of anyone's opinions about it. Executables go in the same spot that DLLs do. In fact, getting Windows build tools and installers to do anything different is a pain.
For this to be a security risk, it would also need to be one for all of the other libraries that do the same.
It's at least one Stack Exchange trip with something along the lines of "I'm working with a legacy library that..."