From 005b391342c95a2d7a2eb05e29558609b7213208 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marcel=20Fabian=20Kr=C3=BCger?= <zauguin@gmail.com>
Date: Sat, 11 Jul 2020 19:44:46 +0200
Subject: [PATCH] Never use local path for finding initscript

This is a security measure. The init script runs with maximum
privileges, especially allowing full shell escape and similar.
We don't want to allow circumventing such options by naming a
local file like an initscript.
---
 luametalatex.lua | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/luametalatex.lua b/luametalatex.lua
index baae1ee..d4e5fc9 100644
--- a/luametalatex.lua
+++ b/luametalatex.lua
@@ -20,8 +20,11 @@ for i, a in ipairs(os.selfarg) do
   end
 end
 os.setenv("engine", status.luatex_engine)
-local kpse_call = io.popen(string.format("kpsewhich -progname %s -format lua -must-exist %s-init.lua", format, format))
-local file = kpse_call:read()
+local kpse_call = io.popen(string.format("kpsewhich -progname %s -format lua -all -must-exist %s-init.lua", format, format))
+local file
+repeat
+  file = kpse_call:read()
+until not file:match('^%.')
 if not kpse_call:close() then
   error(file)
 end