luakit [Bug][Security] Current `package.path` feels wrong. Shouldn't load modules from CWD.

[Bug][Security] Current `package.path` feels wrong. Shouldn't load modules from CWD.

Open MuhammedZakir opened this issue 2 years ago • 1 comments

Current Behavior:

When requireing, Luakit loads modules from current working directory.

Desired Behavior:

Shouldn't do that, and should only load from a selected list. Could be in this order:

Local config dir (default: $XDG_CONFIG_HOME/luakit/)
Global config dir (default: /etc/xdg/luakit/)
Luakit module dir (default: /usr/local/share/luakit/)
Lua/LuaJIT lib dirs.

How can we reproduce it (step by step):

cd /tmp
echo 'print "=====WRONG lousy.lua====="' > lousy.lua
Run luakit and you can see that wrong lousy.lua is required.

This feels wrong and dangerous.

Environment:

Linux Distribution & Version: Manjaro XFCE (X11) Output of luakit --version:

luakit 2.3
  built with webkit 2.34.6 (installed version: 2.36.3)

Jun 20 '22 06:06 MuhammedZakir

It looks like there is some safeguard for core modules -- saw this in the log

W [lua/rc]: Found local version /home/user/.config/luakit/search.lua for core module 'search', but it won't be used, unless you update 'package.path' accordingly

Jun 20 '22 07:06 MuhammedZakir

luakit luakit copied to clipboard

[Bug][Security] Current `package.path` feels wrong. Shouldn't load modules from CWD.

luakit
luakit copied to clipboard