https://bugzilla.redhat.com/show_bug.cgi?id=2177239
Tom "spot" Callaway <spotrh(a)gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Doc Type|--- |If docs needed, set a value
--- Comment #1 from Tom "spot" Callaway <spotrh(a)gmail.com> ---
I can see the concern here.
Right now, this is what we get for Linux from upstream (from luaconf.h, which
is luaconf-$ARCH.h on Fedora):
#define LUA_ROOT "/usr/"
#define LUA_LDIR "/usr/share/lua/" LUA_VDIR "/"
#define LUA_CDIR "/usr/lib64/lua/" LUA_VDIR "/"
#if !defined(LUA_PATH_DEFAULT)
#define LUA_PATH_DEFAULT \
LUA_LDIR"?.lua;" LUA_LDIR"?/init.lua;" \
LUA_CDIR"?.lua;" LUA_CDIR"?/init.lua;" \
"./?.lua;" "./?/init.lua"
#endif
#if !defined(LUA_CPATH_DEFAULT)
#define LUA_CPATH_DEFAULT \
LUA_CDIR"?.so;" LUA_CDIR"loadall.so;"
"./?.so"
#endif
Trawling backwards in time through lua's GitHub, it looks like ./?.lua,
./?/init.lua, and ./?.so were moved to the end of the PATHs in 2009 (so that
they wouldn't be loaded first), but it has looked for these since November
2004.
I am worried that while this may be the right thing to do from a security
perspective, removing these ./ items here may cause lots of lua programs to
simply stop working, because they have been assuming that ./ paths are valid.
On top of that, no other distribution (I checked Debian, Ubuntu, SuSE, Gentoo,
Arch) is changing LUA_PATH_DEFAULT or LUA_CPATH_DEFAULT. I'm concerned about
the user experience if lua just "stops working right" on Fedora (and
eventually, RHEL).
Checking lua-l seems to reinforce that:
A) there is a legitimate concern here
B) removing the . items from the path may break things
C) the better way of doing it (using the invoked script path instead of ./) is
hard
http://lua-users.org/cgi-bin/namazu.cgi?query=.%2F%3F.lua&idxname=lua...
But, I suspect you know all this already, since I found your thread here:
http://lua-users.org/lists/lua-l/2022-12/msg00011.html
******
I don't mean to discount your concern, in fact, I share it. But I am reluctant
to make a Fedora specific change to the way Lua operates. I would strongly
prefer if upstream would take a change to their default behavior that Fedora
could inherit.
As a proof of concept, I worked up this patch:
https://spot.fedorapeople.org/lua-5.4.4-unsafe-paths.patch
Notably, this causes the lua test suite to fail immediately during package
build. It's easy enough to hack around ( I just export LUA_PATH=";;./?.lua"
)
but it demonstrates how this will break a lot of lua mindset assumptions.
I would be interested in which approach you think is most likely to succeed
upstream.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2177239