Bug#954300: marked as done (lua-cgi: session closing broken on lua5.1)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Tue, 18 Nov 2025 10:20:35 +0000
with message-id <[🔎] E1vLIp9-004cSe-2a@fasolo.debian.org>
and subject line Bug#1119723: Removed package(s) from unstable
has caused the Debian Bug report #954300,
regarding lua-cgi: session closing broken on lua5.1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
954300: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954300
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: lua-cgi: session closing broken on lua5.1
• From: Brian May <bam@debian.org>
• Date: Fri, 20 Mar 2020 07:54:45 +1100
• Message-id: <158465128512.9176.1524491724318075552.reportbug@silverfish.pri>

Package: lua-cgi
Version: 5.2~alpha2-1
Severity: serious
Justification: renders package useless

As far as I can tell - please do say if I am wrong - this package is
completely useless with LUA5.1, as packaged.

When run with the following code:

=== cut ===
session = require("cgilua.session")
session.setsessiondir(CGILUA_TMP)
cgilua.addopenfunction (session.open)
cgilua.addclosefunction (session.close)
=== cut ===

I get the following error:

=== cut ===
/usr/share/lua/5.1/cgilua/session.lua:228: attempt to index field 'session' (a nil value)
stack traceback:
  /usr/share/lua/5.1/cgilua/session.lua:228: in function '?'
  /usr/share/lua/5.1/cgilua.lua:538: in function
  [C]: in function 'xpcall'
  /usr/share/lua/5.1/cgilua.lua:174: in function 'pcall'
  /usr/share/lua/5.1/cgilua.lua:637: in function 'main'
  /usr/share/lua/5.1/wsapi/sapi.lua:53: in function
  (tail call): ?
=== cut ===

Where line 228 is the first line in the following function that
reference cgilua.session:

=== cut ===
function M.close ()
        if next (cgilua.session.data) then
                M.save (id, cgilua.session.data)
                id = nil
        end
end
=== cut ===

I belive this is fixed in by the upstream commit
https://github.com/keplerproject/cgilua/commit/bfc65f5df6838a2f39c98f6d8d0285fe27fbc7b3

As a work around, I tried adding:

=== cut ===
cgilua.session = session
=== cut ===

But this gives another error (which I don't entirely understand):

=== cut ===
/usr/share/lua/5.1/cgilua/session.lua:228: bad argument #1 to 'next' (table expected, got nil)
stack traceback:
  [C]: in function 'next'
  /usr/share/lua/5.1/cgilua/session.lua:228: in function '?'
  /usr/share/lua/5.1/cgilua.lua:538: in function
  [C]: in function 'xpcall'
  /usr/share/lua/5.1/cgilua.lua:174: in function 'pcall'
  /usr/share/lua/5.1/cgilua.lua:637: in function 'main'
  /usr/share/lua/5.1/wsapi/sapi.lua:53: in function
  (tail call): ?
=== cut ===

As the close method is broken, it looks like lua-cgi is not capable of
saving a session. I believe this also means that #953037 / CVE-2014-2875
does not apply.

https://bugs.debian.org/953037

Once I get a bug id for this bug, I plan to followup on that bug
report also.

-- System Information:
Debian Release: 10.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-6-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages lua-cgi depends on:
ii  lua-expat       1.3.0-4
ii  lua-filesystem  1.6.3-1
ii  lua-socket      3.0~rc1+git+ac3201d-4

Versions of packages lua-cgi recommends:
pn  lua-wsapi  <none>

lua-cgi suggests no packages.

--- End Message ---

--- Begin Message ---

• To: 953037-done@bugs.debian.org,954300-done@bugs.debian.org,995503-done@bugs.debian.org,
• Cc: lua-cgi@packages.debian.org
• Subject: Bug#1119723: Removed package(s) from unstable
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Tue, 18 Nov 2025 10:20:35 +0000
• Message-id: <[🔎] E1vLIp9-004cSe-2a@fasolo.debian.org>

Version: 6.0.2-2+rm

Dear submitter,

as the package lua-cgi has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see https://bugs.debian.org/1119723

The version of this package that was in Debian prior to this removal
can still be found using https://snapshot.debian.org/.

Please note that the changes have been done on the master archive and
will not propagate to any mirrors until the next dinstall run at the
earliest.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Thorsten Alteholz (the ftpmaster behind the curtain)

--- End Message ---