tech-userlevel archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Userland Lua - concerns with require

Please note that we are currently working on an unresolved security
concern that jmcneill brought up in a private conversation.

The "require" keyword can be used to load modules.  Lua will look for
modules in a user defineable path, LUA_PATH.  The default settings for
LUA_PATH include the current working directory, even before the other

We want to make sure this can not be used to trick someone into running
malicious code, possibly even the root user.

To illustrate the concern, see below the (error) output from Lua when
trying to load a non-existing module "x":

Lua 5.1.4  Copyright (C) 1994-2008, PUC-Rio
> require "x"
stdin:1: module 'x' not found:
        no field package.preload['x']
        no file './x.lua'
        no file '/usr/share/lua/5.1/x.lua'
        no file '/usr/share/lua/5.1/x/init.lua'
        no file '/usr/lib/lua/5.1/x.lua'
        no file '/usr/lib/lua/5.1/x/init.lua'
        no file './'
        no file '/usr/lib/lua/5.1/'
        no file '/usr/lib/lua/5.1/'
stack traceback:
        [C]: in function 'require'
        stdin:1: in main chunk
        [C]: ?

Home | Main Index | Thread Index | Old Index