Re: Userland Lua - concerns with require

To: tech-userlevel%NetBSD.org@localhost
Subject: Re: Userland Lua - concerns with require
From: Marc Balmer <mbalmer%NetBSD.org@localhost>
Date: Wed, 27 Oct 2010 23:07:35 +0200

> Please note that we are currently working on an unresolved security
> concern that jmcneill brought up in a private conversation.
> 
> The "require" keyword can be used to load modules.  Lua will look for
> modules in a user defineable path, LUA_PATH.  The default settings for
> LUA_PATH include the current working directory, even before the other
> locations.
> 
> We want to make sure this can not be used to trick someone into running
> malicious code, possibly even the root user.
> 
> To illustrate the concern, see below the (error) output from Lua when
> trying to load a non-existing module "x":
> 
> Lua 5.1.4  Copyright (C) 1994-2008 Lua.org, PUC-Rio
>> require "x"
> stdin:1: module 'x' not found:
>         no field package.preload['x']
>         no file './x.lua'
>         no file '/usr/share/lua/5.1/x.lua'
>         no file '/usr/share/lua/5.1/x/init.lua'
>         no file '/usr/lib/lua/5.1/x.lua'
>         no file '/usr/lib/lua/5.1/x/init.lua'
>         no file './x.so'
>         no file '/usr/lib/lua/5.1/x.so'
>         no file '/usr/lib/lua/5.1/loadall.so'
> stack traceback:
>         [C]: in function 'require'
>         stdin:1: in main chunk
>         [C]: ?
>>
> 

You can consider this issue as resolved.

Follow-Ups:
- Re: Userland Lua - concerns with require
  - From: Phil Nelson

References:
- Userland Lua
  - From: Marc Balmer
- Re: Userland Lua - concerns with require
  - From: Marc Balmer

Prev by Date: Re: mounting wedges by name
Next by Date: Re: Userland Lua - concerns with require
Previous by Thread: Re: Userland Lua - concerns with require
Next by Thread: Re: Userland Lua - concerns with require
Indexes:

Home | Main Index | Thread Index | Old Index