From 9ee428c10151d107463e5e06e1722ee786f71763 Mon Sep 17 00:00:00 2001
From: Luigi Scarso <luigi.scarso@gmail.com>
Date: Sun, 9 Feb 2025 11:22:12 +0100
Subject: [PATCH] fixed shell-escape bypass (thanks to tex@maxchernoff.ca)

---
 source/texk/web2c/luatexdir/ChangeLog           | 4 ++++
 source/texk/web2c/luatexdir/lua/luainit.c       | 8 ++++++++
 source/texk/web2c/luatexdir/luatex_svnversion.h | 2 +-
 3 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/source/texk/web2c/luatexdir/ChangeLog b/source/texk/web2c/luatexdir/ChangeLog
index 75d657fc6..af86c6b55 100644
--- a/source/texk/web2c/luatexdir/ChangeLog
+++ b/source/texk/web2c/luatexdir/ChangeLog
@@ -1,3 +1,7 @@
+2025-02-05 Luigi Scarso <luigi.scarso@gmail.com>
+	* fixed shell-escape bypass (thanks to tex@maxchernoff.ca)
+
+	
 2025-02-05 Luigi Scarso <luigi.scarso@gmail.com>
 	* add mathemptydisplaymode primitive, 
 	* fix nodes leak in end_graf (thanks to udifoglle@gmail.com)
diff --git a/source/texk/web2c/luatexdir/lua/luainit.c b/source/texk/web2c/luatexdir/lua/luainit.c
index dad4ef716..a05a0e54c 100644
--- a/source/texk/web2c/luatexdir/lua/luainit.c
+++ b/source/texk/web2c/luatexdir/lua/luainit.c
@@ -733,6 +733,11 @@ static int luatex_kpse_clua_find(lua_State * L)
 {
     const char *filename;
     const char *name;
+    if (!clua_loader_function) {
+        /*tex library not found in this path */
+        lua_pushliteral(L, "\n\t[C searcher requires unrestricted shell escape]");
+        return 1;
+    }
     if (safer_option) {
         /*tex library not found in this path */
         lua_pushliteral(L, "\n\t[C searcher disabled in safer mode]");
@@ -1240,6 +1245,9 @@ void lua_initialize(int ac, char **av)
     /* the lua debug library is enabled if shell escape permits everything */
     if (shellenabledp && restrictedshell != 1) {
       luadebug_option = 1 ;      
+    } else {
+        luaL_unref(Luas, LUA_REGISTRYINDEX, clua_loader_function);
+        clua_loader_function = 0;
     }
     /*tex Here we load luatex-core.lua which takes care of some protection on demand. */
     if (load_luatex_core_lua(Luas)) {
diff --git a/source/texk/web2c/luatexdir/luatex_svnversion.h b/source/texk/web2c/luatexdir/luatex_svnversion.h
index e776749f3..78c8cec73 100644
--- a/source/texk/web2c/luatexdir/luatex_svnversion.h
+++ b/source/texk/web2c/luatexdir/luatex_svnversion.h
@@ -1,4 +1,4 @@
 #ifndef luatex_svn_revision_h
 #define luatex_svn_revision_h
-#define luatex_svn_revision 7659
+#define luatex_svn_revision 7660
 #endif
-- 
GitLab