Package: lua-cgi
Version: 5.2~alpha2-1
Severity: serious
Justification: renders package useless
As far as I can tell - please do say if I am wrong - this package is
completely useless with LUA5.1, as packaged.
When run with the following code:
=== cut ===
session = require("cgilua.session")
session.setsessiondir(CGILUA_TMP)
cgilua.addopenfunction (session.open)
cgilua.addclosefunction (session.close)
=== cut ===
I get the following error:
=== cut ===
/usr/share/lua/5.1/cgilua/session.lua:228: attempt to index field 'session' (a
nil value)
stack traceback:
/usr/share/lua/5.1/cgilua/session.lua:228: in function '?'
/usr/share/lua/5.1/cgilua.lua:538: in function
[C]: in function 'xpcall'
/usr/share/lua/5.1/cgilua.lua:174: in function 'pcall'
/usr/share/lua/5.1/cgilua.lua:637: in function 'main'
/usr/share/lua/5.1/wsapi/sapi.lua:53: in function
(tail call): ?
=== cut ===
Where line 228 is the first line in the following function that
reference cgilua.session:
=== cut ===
function M.close ()
if next (cgilua.session.data) then
M.save (id, cgilua.session.data)
id = nil
end
end
=== cut ===
I belive this is fixed in by the upstream commit
https://github.com/keplerproject/cgilua/commit/bfc65f5df6838a2f39c98f6d8d0285fe27fbc7b3
As a work around, I tried adding:
=== cut ===
cgilua.session = session
=== cut ===
But this gives another error (which I don't entirely understand):
=== cut ===
/usr/share/lua/5.1/cgilua/session.lua:228: bad argument #1 to 'next' (table
expected, got nil)
stack traceback:
[C]: in function 'next'
/usr/share/lua/5.1/cgilua/session.lua:228: in function '?'
/usr/share/lua/5.1/cgilua.lua:538: in function
[C]: in function 'xpcall'
/usr/share/lua/5.1/cgilua.lua:174: in function 'pcall'
/usr/share/lua/5.1/cgilua.lua:637: in function 'main'
/usr/share/lua/5.1/wsapi/sapi.lua:53: in function
(tail call): ?
=== cut ===
As the close method is broken, it looks like lua-cgi is not capable of
saving a session. I believe this also means that #953037 / CVE-2014-2875
does not apply.
https://bugs.debian.org/953037
Once I get a bug id for this bug, I plan to followup on that bug
report also.
-- System Information:
Debian Release: 10.3
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-6-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_WARN, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8),
LANGUAGE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages lua-cgi depends on:
ii lua-expat 1.3.0-4
ii lua-filesystem 1.6.3-1
ii lua-socket 3.0~rc1+git+ac3201d-4
Versions of packages lua-cgi recommends:
pn lua-wsapi <none>
lua-cgi suggests no packages.
