Thanks again.

Does anyone support restoring the ability to find lua in the user data dir
without the need for path manipulation? If so, I'd be happy to create an
issue (maybe I'll create one anyway).

(BTW I've changed to using LUA_PATH_5_3; I've also appended ;; so as to
prefix my user data dir to the existing path.)

On Thu, 12 Aug 2021 at 17:00, BPJ <bpj-J3H7GcXPSITLoDKTGw+V6w@public.gmane.org> wrote:

> That's exactly my point. If *you* wrote all your filters and *you* wrote
> all your datadir Lua there is no reason not to trust either. If you didn't
> write it yourself restricting LUA_PATH means that a malicious filter can't
> `require` stuff in your datadir, but if it knows the path to your datadir
> it could poke around by other means. You have to look at the code you run
> and check that it doesn't do anything bad.
>
> Den tors 12 aug. 2021 13:23William Lupton <wlupton-QSt+ys/nuMyEUIsrzH9SikB+6BGkLq7r@public.gmane.org>
> skrev:
>
>> Thanks (I am _definitely_ not an expert!). I'm sure that I should do what
>> you suggest (and prefix the existing LUA_PATH) but in this specific case it
>> didn't seem to be necessary (note that I'm only setting LUA_PATH for this
>> specific pandoc invocation, actually via a 'make' rule; I'm not exporting
>> it). I didn't know about LUA_PATH_5_3, so I suppose I should have set it
>> instead (then I have to know that pandoc embeds lua 5.3 but I expect that I
>> need to know that anyway in order to write the filter in the first place).
>>
>> My point about security is that by setting LUA_PATH I think I'm enabling
>> essentially the same "search $DATADIR" behaviour that has been removed.
>> Ideally I'd prefer not to have to mess with an environment variable. Yes I
>> could add code to every filter and writer to find and use $DATADIR, but I
>> was hoping not to have to do this!
>>
>> I suppose my bottom line question is why it isn't OK to trust the
>> $DATADIR lua. After all, $DATADIR/filters and $DATADIR/writers are surely
>> trusted?
>>
>> On Thu, 12 Aug 2021 at 10:47, BPJ <bpj-J3H7GcXPSITLoDKTGw+V6w@public.gmane.org> wrote:
>>
>>> Wouldn't you have to do `LUA_PATH="$DATADIR/?.lua;$LUA_PATH"`? Also
>>> LUA_PATH_5_3 overrides LUA_PATH if set.
>>>
>>> To my understanding (although I am *not* an expert) the security problem
>>> arises if you run filters not written or at least reviewed by you (or
>>> someone you really trust) and/or your LUA_PATH gives access to similarly
>>> untrustworthy code. Besides `require` is not the only thing you need to
>>> look out for. `load` and `loadfile` and generally the `io` library and the
>>> pandoc library's `pipe` are equally or more problematic regardless of what
>>> is in LUA_PATH, and last I looked every filter has access to the datadir
>>> location. There is never any substitute to knowing what's reachable from
>>> code, and knowing what code does. Still most of us trust code repositories
>>> like Luarocks and its equivalents to monitor for harmful code, but in
>>> principle there is no substitute to reviewing code yourself.
>>>
>>> Den tors 12 aug. 2021 10:44William Lupton <wlupton-QSt+ys/nuMyEUIsrzH9SikB+6BGkLq7r@public.gmane.org>
>>> skrev:
>>>
>>>> Hello,
>>>>
>>>> My lua filters and writers all do "local utils = require 'utils'" to
>>>> load utils.lua from my user data dir.
>>>>
>>>> I recently upgraded from pandoc 2.11.4 (23 Jan) to 2.14.1 (18 Jul) and
>>>> therefore this stopped working, as discussed here:
>>>>
>>>>    - Lua filter can not find lua package in data-dir
>>>>    <https://groups.google.com/g/pandoc-discuss/c/rMfK9i9ZdWs/m/GmsnnHNqAQAJ> (predates
>>>>    pandoc 2.12)
>>>>    - Using require on Lua filter doesn't work anymore in Pandoc 2.12
>>>>    <https://groups.google.com/g/pandoc-discuss/c/1wmM9ZzP9pw/m/O3wns027AAAJ>
>>>>
>>>> Following the advice in the second thread, I ended up setting LUA_PATH.
>>>> I preferred this solution because it didn't involve changing any source
>>>> files.
>>>>
>>>> My pandoc command used to be "pandoc --data-dir=$DATADIR ..." and is
>>>> now "LUA_PATH=$DATADIR/?.lua pandoc --data-dir=$DATADIR ..." so it seems to
>>>> me that I must be subverting the fix to any security problems that were
>>>> fixed by not searching the user data dir!
>>>>
>>>> I'm wondering whether it might be possible to restore searching of
>>>> the user data dir, possibly with some restrictions to prevent things like
>>>> overriding pandoc.List. It would be really nice to be able to use a simple
>>>> "require".
>>>>
>>>> Thanks,
>>>> William
>>>>
>>>> PS, Note that utils.lua isn't in the same directory as the filters or
>>>> writers. These are in $DATADIR/filters and $DATADIR/writers, whereas
>>>> utils.lua is in the parent $DATADIR. I'd be happy to put utils.lua in some
>>>> other $DATADIR sub-directory.
>>>>
>>>> --
>>>> You received this message because you are subscribed to the Google
>>>> Groups "pandoc-discuss" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to pandoc-discuss+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
>>>> To view this discussion on the web visit
>>>> https://groups.google.com/d/msgid/pandoc-discuss/CAEe_xxhAWWYZO5C4sdwSEpRGiavcNg-6JzWvGjMtzOs5rFjDuw%40mail.gmail.com
>>>> <https://groups.google.com/d/msgid/pandoc-discuss/CAEe_xxhAWWYZO5C4sdwSEpRGiavcNg-6JzWvGjMtzOs5rFjDuw%40mail.gmail.com?utm_medium=email&utm_source=footer>
>>>> .
>>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "pandoc-discuss" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to pandoc-discuss+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
>>> To view this discussion on the web visit
>>> https://groups.google.com/d/msgid/pandoc-discuss/CADAJKhAOStn6WUCQ2eNPGU%2BdZD9GETR8ktHJXzk00A%3Dzo0S1dQ%40mail.gmail.com
>>> <https://groups.google.com/d/msgid/pandoc-discuss/CADAJKhAOStn6WUCQ2eNPGU%2BdZD9GETR8ktHJXzk00A%3Dzo0S1dQ%40mail.gmail.com?utm_medium=email&utm_source=footer>
>>> .
>>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "pandoc-discuss" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to pandoc-discuss+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/pandoc-discuss/CAEe_xxjLNvz4afJuwDhBqc0rnnQ%3Dh5_i3W3s_VPuQTSx0WfqqQ%40mail.gmail.com
>> <https://groups.google.com/d/msgid/pandoc-discuss/CAEe_xxjLNvz4afJuwDhBqc0rnnQ%3Dh5_i3W3s_VPuQTSx0WfqqQ%40mail.gmail.com?utm_medium=email&utm_source=footer>
>> .
>>
> --
> You received this message because you are subscribed to the Google Groups
> "pandoc-discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to pandoc-discuss+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/pandoc-discuss/CADAJKhBfbdHs74_HGSnfMzBNy6TD%3D%2BqC1k0MWG4_kh2Kfp-nzA%40mail.gmail.com
> <https://groups.google.com/d/msgid/pandoc-discuss/CADAJKhBfbdHs74_HGSnfMzBNy6TD%3D%2BqC1k0MWG4_kh2Kfp-nzA%40mail.gmail.com?utm_medium=email&utm_source=footer>
> .
>

-- 
You received this message because you are subscribed to the Google Groups "pandoc-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pandoc-discuss+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To view this discussion on the web visit https://groups.google.com/d/msgid/pandoc-discuss/CAEe_xxh4bHGws%3Dhh%3D9b4Oy0%3DOt1edG86KHWHp%2BnfOOGayM-EbA%40mail.gmail.com.