[Monotone-devel] Linking monotone with the official lua shared library as distributed by Debian

[Graydon Hoare]

the use of popen was a potential "security hole" in monotone's lua
environment because we feed filenames into it which might contain
un-escaped shell metacharacters. this means a malicious user could
make a filename which executes shell code. it's an old and widely
known family of potential vulnerabilities in any program which
executes popen.

we removed the binding from popen in the lua environment because we
don't want users accidentally writing lua extension scripts for
monotone that casually use popen. we provided a replacement which
calls exec manually. this is very standard practise; many scripting
environments have made this adaptation.

however, it is an adaptation one makes on their own. popen can be used
safely if you care to be safe, or you're generating the input being
fed to it. we just chose a cautious angle: remove popen entirely.
there is no need to force all lua users in debian to drop popen; we
just didn't want it in *our* bundled lua environment, because that
environment uses a lot of user-provided (and often network-provided)
data.

naturally I would appreciate if you did not link against the
debian-provided lua library, as we have no way of performing QA on
this library or customizing it to suit our needs. in this case you
will be re-introducing a possible security hole; we will still not
actually *use* popen in any of the scripts we provide, but it will be
available to script authors and therefore more likely to be misused.
we prefer to keep the lua environment we offer users very constrained
by default.

of course, being free software, I cannot really stop you from doing
so. but I would appreciate if it you did not.

-graydon