Re: [Monotone-devel] Lua loading dynamic libraries not possible in monotone?

[Daniel Carosone]

On Fri, Oct 24, 2008 at 01:28:50PM -0700, Zack Weinberg wrote:
> On Fri, Oct 24, 2008 at 1:19 PM, Markus Wanner <address@hidden> wrote:
> > However, I don't quite understand why it should be a security issue. All
> > hooks are user defined, so what should preventing dynamic loading
> > protect against? Maybe it's rather a simplification for portability? Zack?
> 
> I honestly don't remember anymore, and I'm not finding any discussion
> in the mailing list archive.  Maybe Nathaniel remembers?

Hm. Try searching the irc logs maybe.

IIRC, the concern was about people running lua code from within a
repository from a malicious committer.  There was a specific example
at the time where this was a common pattern, but I don't recall what
it was - maybe something like a previous version of ignore hooks.. 
 
This goes a long, long way back - the referenced commit I assume is
Zack doing some autoconf hacking trying to preserve that previous
behavour.  The "disable shell-outs from lua for security" has been
there about as long as lua has, IIUC, and this seems like another
aspect of that.

--
Dan.

pgp_ovUPTueWf.pgp
Description: PGP signature