luakit
luakit copied to clipboard
[Bug][Security] Current `package.path` feels wrong. Shouldn't load modules from CWD.
Current Behavior:
When require
ing, Luakit loads modules from current working directory.
Desired Behavior:
Shouldn't do that, and should only load from a selected list. Could be in this order:
- Local config dir (default:
$XDG_CONFIG_HOME/luakit/
) - Global config dir (default:
/etc/xdg/luakit/
) - Luakit module dir (default:
/usr/local/share/luakit/
) - Lua/LuaJIT lib dirs.
How can we reproduce it (step by step):
-
cd /tmp
-
echo 'print "=====WRONG lousy.lua====="' > lousy.lua
- Run
luakit
and you can see that wronglousy.lua
isrequire
d.
This feels wrong and dangerous.
Environment:
Linux Distribution & Version: Manjaro XFCE (X11)
Output of luakit --version
:
luakit 2.3
built with webkit 2.34.6 (installed version: 2.36.3)
It looks like there is some safeguard for core modules -- saw this in the log
W [lua/rc]: Found local version /home/user/.config/luakit/search.lua for core module 'search', but it won't be used, unless you update 'package.path' accordingly