Re: Userland Lua - concerns with require

To: Phil Nelson <phil%cs.wwu.edu@localhost>
Subject: Re: Userland Lua - concerns with require
From: Marc Balmer <mbalmer%NetBSD.org@localhost>
Date: Thu, 28 Oct 2010 09:21:36 +0200

Am 27.10.10 23:37, schrieb Phil Nelson:
> On Wednesday 27 October 2010 2:21:34 pm Marc Balmer wrote:
>> I will change the default path specifications.
> 
> What specific change?  Removing . or moving it to the end?
> I'd argue that removing . is the correct thing to do, not
> just moving it to the end if you are worried about security.
> But from my knowledge of lua it expects . in the path.
> 
> Your two previous posts didn't convey the details of the solution.

After considerations, email exchange with the makers of Lua, and testing
realword systems I think probably the best thing to do is to move the
'.' parts to the end of the list:

The obvious security risk is that someone puts a Lua file in your
homedirectory with the name of an _existing_ module, e.g. some database
adapter, and tricks you into running this code instead.

When '.' is moved to the end of the list, this kind of exploit is no
longer possible.  This is also what the makers of Lua did for the next
release, Lua 5.2.

I am a bit hesitant right now to remove the '.' entries completely, I am
still trying to assess the consequences.  That said, I am open for (well
reasoned) opinions.

Follow-Ups:
- Re: Userland Lua - concerns with require
  - From: Bernd Ernesti
- Re: Userland Lua - concerns with require
  - From: Joerg Sonnenberger

References:
- Userland Lua
  - From: Marc Balmer
- Re: Userland Lua - concerns with require
  - From: Phil Nelson
- Re: Userland Lua - concerns with require
  - From: Marc Balmer
- Re: Userland Lua - concerns with require
  - From: Phil Nelson

Prev by Date: Re: mounting wedges by name
Next by Date: Re: mounting wedges by name
Previous by Thread: Re: Userland Lua - concerns with require
Next by Thread: Re: Userland Lua - concerns with require
Indexes:

Home | Main Index | Thread Index | Old Index