Package: lua-cgi Version: 5.2~alpha2-1 Severity: serious Justification: renders package useless
As far as I can tell - please do say if I am wrong - this package is completely useless with LUA5.1, as packaged. When run with the following code: === cut === session = require("cgilua.session") session.setsessiondir(CGILUA_TMP) cgilua.addopenfunction (session.open) cgilua.addclosefunction (session.close) === cut === I get the following error: === cut === /usr/share/lua/5.1/cgilua/session.lua:228: attempt to index field 'session' (a nil value) stack traceback: /usr/share/lua/5.1/cgilua/session.lua:228: in function '?' /usr/share/lua/5.1/cgilua.lua:538: in function [C]: in function 'xpcall' /usr/share/lua/5.1/cgilua.lua:174: in function 'pcall' /usr/share/lua/5.1/cgilua.lua:637: in function 'main' /usr/share/lua/5.1/wsapi/sapi.lua:53: in function (tail call): ? === cut === Where line 228 is the first line in the following function that reference cgilua.session: === cut === function M.close () if next (cgilua.session.data) then M.save (id, cgilua.session.data) id = nil end end === cut === I belive this is fixed in by the upstream commit https://github.com/keplerproject/cgilua/commit/bfc65f5df6838a2f39c98f6d8d0285fe27fbc7b3 As a work around, I tried adding: === cut === cgilua.session = session === cut === But this gives another error (which I don't entirely understand): === cut === /usr/share/lua/5.1/cgilua/session.lua:228: bad argument #1 to 'next' (table expected, got nil) stack traceback: [C]: in function 'next' /usr/share/lua/5.1/cgilua/session.lua:228: in function '?' /usr/share/lua/5.1/cgilua.lua:538: in function [C]: in function 'xpcall' /usr/share/lua/5.1/cgilua.lua:174: in function 'pcall' /usr/share/lua/5.1/cgilua.lua:637: in function 'main' /usr/share/lua/5.1/wsapi/sapi.lua:53: in function (tail call): ? === cut === As the close method is broken, it looks like lua-cgi is not capable of saving a session. I believe this also means that #953037 / CVE-2014-2875 does not apply. https://bugs.debian.org/953037 Once I get a bug id for this bug, I plan to followup on that bug report also. -- System Information: Debian Release: 10.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-6-amd64 (SMP w/8 CPU cores) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages lua-cgi depends on: ii lua-expat 1.3.0-4 ii lua-filesystem 1.6.3-1 ii lua-socket 3.0~rc1+git+ac3201d-4 Versions of packages lua-cgi recommends: pn lua-wsapi <none> lua-cgi suggests no packages.