https://bugzilla.wikimedia.org/show_bug.cgi?id=47300
Tim Starling <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Group|security | CC| |[email protected] Component|General |Scribunto Assignee|[email protected] |[email protected]. | |org Product|Security |MediaWiki extensions Summary|Ability to violate Lua |Ability to violate Lua |sandboxing due to the way |module isolation due to |require impacts the global |retained package table |space | --- Comment #1 from Tim Starling <[email protected]> --- A sandbox violation is when you can call, say, os.execute(). Module isolation is a different thing from sandboxing and is not a security issue. The ability to modify the base environment is a bit concerning, but I don't think that's a security issue either, since you can't even generate PHP warnings after mw.setupInterface() removes the mw_interface global. You do get access to setfenv() and getfenv() but in the standalone engine, they are already wrappers, and in the sandbox engine, they are harmless. So, changing component. This appears to be due to I92a47d31. A package module is created in the base environment, and package.lua has: -- -- avoid overwriting the package table if it's already there -- package = package or {} ... package.loaders = package.loaders or { loader_preload } So the loadPackage() closure from the base environment is retained in the cloned environment, and so loaded chunks have their environment set to the base environment before they are called. Replacing "package = package or {}" with "package = {}" appears to fix the problem, and all tests still pass after that is done. Assigning to Brad. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
