[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: Is registry.LUA_NOENV a public API?
- From: Paul Ducklin <pducklin@...>
- Date: Fri, 28 Jul 2023 00:19:59 +0000
Having an official way to prevent official environment variables from affecting execution (esp. for things like shared library loading) can be considered good security practice.
Just look at how much cybersecurity harm has been done over the years due to “DLL sideloading” attacks and LD_LIBRARY_PATH abuse.
(Same sort of reason why OpenSSL has a “never read the standard config file location when loading”, because it’s one less attack vector to worry about.)
> On 27 Jul 2023, at 14:48, Roberto Ierusalimschy <roberto@inf.puc-rio.br> wrote:
>
>
>>
>> I was looking for information regarding the registry constant
>> "LUA_NOENV". In the source code of lua.c this constant is set by the
>> -E option and directs the standard libraries to ignore environment
>> variables, perhaps most relevant to the package module.
>>
>> Is this part of the public lua C API?
>
> Not yet, but it may become :-) Do you need it?
>
> -- Roberto