Re: Userland Lua - concerns with require

To: tech-userlevel%NetBSD.org@localhost
Subject: Re: Userland Lua - concerns with require
From: Marc Balmer <mbalmer%NetBSD.org@localhost>
Date: Wed, 27 Oct 2010 12:32:39 +0200

Please note that we are currently working on an unresolved security
concern that jmcneill brought up in a private conversation.

The "require" keyword can be used to load modules.  Lua will look for
modules in a user defineable path, LUA_PATH.  The default settings for
LUA_PATH include the current working directory, even before the other
locations.

We want to make sure this can not be used to trick someone into running
malicious code, possibly even the root user.

To illustrate the concern, see below the (error) output from Lua when
trying to load a non-existing module "x":

Lua 5.1.4  Copyright (C) 1994-2008 Lua.org, PUC-Rio
> require "x"
stdin:1: module 'x' not found:
        no field package.preload['x']
        no file './x.lua'
        no file '/usr/share/lua/5.1/x.lua'
        no file '/usr/share/lua/5.1/x/init.lua'
        no file '/usr/lib/lua/5.1/x.lua'
        no file '/usr/lib/lua/5.1/x/init.lua'
        no file './x.so'
        no file '/usr/lib/lua/5.1/x.so'
        no file '/usr/lib/lua/5.1/loadall.so'
stack traceback:
        [C]: in function 'require'
        stdin:1: in main chunk
        [C]: ?
>

Follow-Ups:
- Re: Userland Lua - concerns with require
  - From: Marc Balmer

References:
- Userland Lua
  - From: Marc Balmer

Prev by Date: Re: Userland Lua
Next by Date: Re: Userland Lua
Previous by Thread: Re: Userland Lua
Next by Thread: Re: Userland Lua - concerns with require
Indexes:

Home | Main Index | Thread Index | Old Index