Dnia 31 sierpnia 2017 22:45:42 CEST, "Michał Górny" <mgo...@gentoo.org>
napisał(a):
>Set PATH to /dev/null when sourcing the ebuild for dependency
>resolution
>in order to prevent shell from finding external commands via PATH
>lookup. While this does not prevent executing programs via full path,
>it
>should catch the majority of accidental uses.
>
>Closes: https://github.com/gentoo/portage/pull/199
>
>// Note: this can't be merged right now since we still have ebuilds
>// calling external commands; see:
>// https://bugs.gentoo.org/show_bug.cgi?id=629222
Update: gentoo is green now
>---
> bin/ebuild.sh | 6 +++++-
> bin/isolated-functions.sh | 4 ++++
> 2 files changed, 9 insertions(+), 1 deletion(-)
>
>diff --git a/bin/ebuild.sh b/bin/ebuild.sh
>index c23561651..94a44d534 100755
>--- a/bin/ebuild.sh
>+++ b/bin/ebuild.sh
>@@ -80,8 +80,12 @@ else
> done
> unset funcs x
>
>+ # prevent the shell from finding external executables
>+ # note: we can't use empty because it implies current directory
>+ _PORTAGE_ORIG_PATH=${PATH}
>+ export PATH=/dev/null
> command_not_found_handle() {
>- die "Command not found while sourcing ebuild: ${*}"
>+ die "External commands disallowed while sourcing ebuild: ${*}"
> }
> fi
>
>diff --git a/bin/isolated-functions.sh b/bin/isolated-functions.sh
>index e320f7132..b28e44f18 100644
>--- a/bin/isolated-functions.sh
>+++ b/bin/isolated-functions.sh
>@@ -121,6 +121,10 @@ __helpers_die() {
> }
>
> die() {
>+ # restore PATH since die calls basename & sed
>+ # TODO: make it pure bash
>+ [[ -n ${_PORTAGE_ORIG_PATH} ]] && PATH=${_PORTAGE_ORIG_PATH}
>+
> set +x # tracing only produces useless noise here
> local IFS=$' \t\n'
>
--
Best regards,
Michał Górny (by phone)
