loadlib allowed in lua hooks?

All about writing scripts for Celestia in Lua and the .cel system
Avatar
Topic author
dirkpitt
Developer
Posts: 674
Joined: 24.10.2004
With us: 20 years 1 month

loadlib allowed in lua hooks?

Post #1by dirkpitt » 13.09.2007, 08:55

Recently I managed to get a Lua loadlib to work in a lua hook.
I used "require" to include an external lua script, and that lua script called package.loadlib() to load a dll on Windows 2000 SP4.
This worked just fine... but what does this say about this part of the code in celx.cpp?
Is loadlib supposed to be disallowed?

Code: Select all

// Permit access to the package library, but prohibit use of the loadlib
// function.
void LuaState::allowLuaPackageAccess()
{
#if LUA_VER >= 0x050100
    openLuaLibrary(state, LUA_LOADLIBNAME, luaopen_package);

    // Disallow loadlib
    lua_getfield(state, LUA_GLOBALSINDEX, "package");
    lua_pushnil(state);
    lua_setfield(state, -2, "loadlib");
    lua_pop(state, 1);
#endif
}


BTW, I'm using Lua 5.1 and CVS celestia sources.

Avatar
selden
Developer
Posts: 10192
Joined: 04.09.2002
With us: 22 years 2 months
Location: NY, USA

Post #2by selden » 13.09.2007, 13:27

Personally, I believe that so long as the user has allowed system access, loading of shared libraries should be permitted.

(I also think that the system access permission request is misguided, since running a script is no different from running any program, but that's a separate issue.)
Selden

Avatar
Topic author
dirkpitt
Developer
Posts: 674
Joined: 24.10.2004
With us: 20 years 1 month

Post #3by dirkpitt » 14.09.2007, 02:41

I guess the system access warning is supposed to alert the user to say,
a trojan that supposedly only does a solar system tour, but instead secretly
tries to delete or write files. Lua hooks are implicitly allowed this, and also
they are allowed "package" access but not shared library access (loadlib)..
Or are they?


Return to “Scripting”