Security issue: table "base" mirroring "_G"

[huwpascoe]

Using

sol::state lua;
lua.open_libraries(sol::lib::base);

creates a mirror of _G at top level called "base". which is undocumented AFAIK.

print(base == _G)

true

[sagamusix]

While I don't quite see the security issue here, it would definitely make more sense to call luaL_requiref(L, "_G", luaopen_base, 1); instead of luaL_requiref(L, "base", luaopen_base, 1); for sol::lib::base.

Or even better, just use the constants provided by Lua itself, although I don't know how well that works for compatibility with older Lua version / LuaJIT / etc:

luaL_requiref(L, LUA_GNAME, luaopen_base, 1);
luaL_requiref(L, LUA_COLIBNAME, luaopen_coroutine, 1);
luaL_requiref(L, LUA_TABLIBNAME, luaopen_table, 1);
luaL_requiref(L, LUA_IOLIBNAME, luaopen_io, 1);
luaL_requiref(L, LUA_OSLIBNAME, luaopen_os, 1);
luaL_requiref(L, LUA_STRLIBNAME, luaopen_string, 1);
luaL_requiref(L, LUA_MATHLIBNAME, luaopen_math, 1);
luaL_requiref(L, LUA_UTF8LIBNAME, luaopen_utf8, 1);
luaL_requiref(L, LUA_DBLIBNAME, luaopen_debug, 1);

[htv04]

Bumping this issue, why is a base table created? Shouldn't it just go to _G like in linit.c?