Dnia 31 sierpnia 2017 22:45:42 CEST, "Michał Górny" <mgo...@gentoo.org> 
napisał(a):
>Set PATH to /dev/null when sourcing the ebuild for dependency
>resolution
>in order to prevent shell from finding external commands via PATH
>lookup. While this does not prevent executing programs via full path,
>it
>should catch the majority of accidental uses.
>
>Closes: https://github.com/gentoo/portage/pull/199
>
>// Note: this can't be merged right now since we still have ebuilds
>// calling external commands; see:
>// https://bugs.gentoo.org/show_bug.cgi?id=629222

Update: gentoo is green now 

>---
> bin/ebuild.sh             | 6 +++++-
> bin/isolated-functions.sh | 4 ++++
> 2 files changed, 9 insertions(+), 1 deletion(-)
>
>diff --git a/bin/ebuild.sh b/bin/ebuild.sh
>index c23561651..94a44d534 100755
>--- a/bin/ebuild.sh
>+++ b/bin/ebuild.sh
>@@ -80,8 +80,12 @@ else
>       done
>       unset funcs x
> 
>+      # prevent the shell from finding external executables
>+      # note: we can't use empty because it implies current directory
>+      _PORTAGE_ORIG_PATH=${PATH}
>+      export PATH=/dev/null
>       command_not_found_handle() {
>-              die "Command not found while sourcing ebuild: ${*}"
>+              die "External commands disallowed while sourcing ebuild: ${*}"
>       }
> fi
> 
>diff --git a/bin/isolated-functions.sh b/bin/isolated-functions.sh
>index e320f7132..b28e44f18 100644
>--- a/bin/isolated-functions.sh
>+++ b/bin/isolated-functions.sh
>@@ -121,6 +121,10 @@ __helpers_die() {
> }
> 
> die() {
>+      # restore PATH since die calls basename & sed
>+      # TODO: make it pure bash
>+      [[ -n ${_PORTAGE_ORIG_PATH} ]] && PATH=${_PORTAGE_ORIG_PATH}
>+
>       set +x # tracing only produces useless noise here
>       local IFS=$' \t\n'
> 


-- 
Best regards,
Michał Górny (by phone)

Reply via email to