[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: RE: [ANN] Lua 5.3.0 (work3) now available
- From: Thijs Schreijer <thijs@...>
- Date: Mon, 23 Jun 2014 06:36:27 +0000
> -----Original Message-----
> From: firstname.lastname@example.org [mailto:email@example.com] On
> Behalf Of Andrew Starks
> Sent: maandag 23 juni 2014 2:12
> To: Lua mailing list
> Subject: Re: [ANN] Lua 5.3.0 (work3) now available
> On Sunday, June 22, 2014, Thijs Schreijer <firstname.lastname@example.org> wrote:
> BTW great to see the default package paths updated!
> Though I still think that the `!\?.dll` and `.\?.dll` c-paths should be
> removed, because they make it too easy for the casual user to put dll's into
> the system path (where other executables are also looking and might load
> them accidentally, as is the nature of Windows)
> 5.3 work3 package.cpath;
> The regular path has the `lua` subdirectory of the executable directory;
> `!\lua\?.lua`. Can't a similar subdirectory for clibs be added? So the dll's
> stay out of the system path, while the interpreter itself is in the system
> Proposed package.cpath;
> Obviously anyone could override it at any time, but imo at least the
> defaults should be as safe as possible.
> I lack an opinion about .\?.dll.
> I think that !\?.dll should stay. This is the way that Windows works,
> regardless of anyone's opinions about it. Executables go in the same spot
> that DLLs do.
I strongly disagree with your reasoning. Doing things the way you do it because you've always done it that way, is the worst possible reason. It's about the 'mother-of-all' security issues.
> In fact, getting Windows build tools and installers to do
> anything different is a pain.
True, but applications do not install themselves in the system path, they install shortcuts and links, and then `!\?.dll` is perfectly safe (and so it is for embedded Lua installations). But in this case, the standalone interpreter is generally in the system path. And the executable itself provides the options to put the dll's anywhere you want it through the configurable LUA_CPATH option.
I don't think there is single argument for keeping those two path elements, other than 'old habits die hard'.
> For this to be a security risk, it would also need to be one for all of the
> other libraries that do the same.
> It's at least one Stack Exchange trip with something along the lines of "I'm
> working with a legacy library that..."