Re: Loading bytecode in require()
[
Date Prev][
Date Next][
Thread Prev][
Thread Next]
[
Date Index]
[
Thread Index]
- Subject: Re: Loading bytecode in require()
- From: Julien Desgats <julien+lua@...>
- Date: 2015年7月19日 12:15:58 +0200
Le 2015年7月19日 11:24:07 +0200,
Dirk Laurie <dirk.laurie@gmail.com> a écrit :
> 2015年07月19日 11:05 GMT+02:00 Egor Skriptunoff
> <egor.skriptunoff@gmail.com>:
>
> > As Lua 5.2 and Lua 5.3 manuals say, "Maliciously crafted binary
> > chunks can crash the interpreter".
> > That's why additional argument was introduced in load() and
> > loadfile(): mode = "b" / "t" / "bt"
> > But why we do not have the same argument in require() ?
> > Maliciously crafted "crash.luac" file can be renamed to
> > "some_module.lua", and the interpreter will crash on
> > require("some_module") If it can be considered as security hole, we
> > definitely need an option to disable loading bytecode files in
> > require()
>
> It's a security hole to allow "require", period. Maybe one could
> compile Lua with default path defined in luaconf.h to exclude
> directories to which the hacker might have write access and
> also modify loadlib.c so that environment variables are not
> queried. Maybe.
>
It is a huge security hole with default searchers (or loaders in 5.1),
yes. I'll add that require can also load binary modules, so you don't
even need malicious bytecode to execute arbitrary code!
But, you can replace searchers with you own, that can olny load trusted
source code. See [1].
[1] http://www.lua.org/manual/5.3/manual.html#pdf-package.searchers