[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Monotone-devel] Lua loading dynamic libraries not possible in monot
From: |
Daniel Carosone |
Subject: |
Re: [Monotone-devel] Lua loading dynamic libraries not possible in monotone? |
Date: |
Sun, 26 Oct 2008 07:28:28 +1100 |
User-agent: |
Mutt/1.5.18 (2008-05-17) |
On Fri, Oct 24, 2008 at 01:28:50PM -0700, Zack Weinberg wrote:
> On Fri, Oct 24, 2008 at 1:19 PM, Markus Wanner <address@hidden> wrote:
> > However, I don't quite understand why it should be a security issue. All
> > hooks are user defined, so what should preventing dynamic loading
> > protect against? Maybe it's rather a simplification for portability? Zack?
>
> I honestly don't remember anymore, and I'm not finding any discussion
> in the mailing list archive. Maybe Nathaniel remembers?
Hm. Try searching the irc logs maybe.
IIRC, the concern was about people running lua code from within a
repository from a malicious committer. There was a specific example
at the time where this was a common pattern, but I don't recall what
it was - maybe something like a previous version of ignore hooks..
This goes a long, long way back - the referenced commit I assume is
Zack doing some autoconf hacking trying to preserve that previous
behavour. The "disable shell-outs from lua for security" has been
there about as long as lua has, IIUC, and this seems like another
aspect of that.
--
Dan.
pgp_ovUPTueWf.pgp
Description: PGP signature