Loading bytecode in require()

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Loading bytecode in require()
From: Egor Skriptunoff <egor.skriptunoff@...>
Date: 2015年7月19日 12:05:17 +0300

Hi!

As Lua 5.2 and Lua 5.3 manuals say, "Maliciously crafted binary chunks can crash the interpreter".
That's why additional argument was introduced in load() and loadfile():
mode = "b" / "t" / "bt"
But why we do not have the same argument in require() ?
Maliciously crafted "crash.luac" file can be renamed to "some_module.lua", and the interpreter will crash on require("some_module")
If it can be considered as security hole, we definitely need an option to disable loading bytecode files in require()

-- Egor

Follow-Ups:
- Re: Loading bytecode in require(), Dirk Laurie

Prev by Date: Re: Patterns: Why are anchors not character classes?
Next by Date: Re: Loading bytecode in require()
Previous by thread: Re: When to escape magic characters
Next by thread: Re: Loading bytecode in require()
Index(es):
- Date
- Thread