Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Michał Górny" <mgorny@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/portage:master commit in: bin/
Date: Mon, 11 Sep 2017 20:33:08
Message-Id: 1505161966.fb2459330cf226ee34d3875a1143531bd109aaf2.mgorny@gentoo
1 commit: fb2459330cf226ee34d3875a1143531bd109aaf2
2 Author: Michał Górny <mgorny <AT> gentoo <DOT> org>
3 AuthorDate: Thu Aug 31 20:29:50 2017 +0000
4 Commit: Michał Górny <mgorny <AT> gentoo <DOT> org>
5 CommitDate: Mon Sep 11 20:32:46 2017 +0000
6 URL: https://gitweb.gentoo.org/proj/portage.git/commit/?id=fb245933
7
8 ebuild.sh: Completely ban external commands in global scope
9
10 Set PATH to /dev/null when sourcing the ebuild for dependency resolution
11 in order to prevent shell from finding external commands via PATH
12 lookup. While this does not prevent executing programs via full path, it
13 should catch the majority of accidental uses.
14
15 Closes: https://github.com/gentoo/portage/pull/199
16 Reviewed-by: Zac Medico <zmedico <AT> gentoo.org>
17
18 bin/ebuild.sh | 6 +++++-
19 bin/isolated-functions.sh | 4 ++++
20 2 files changed, 9 insertions(+), 1 deletion(-)
21
22 diff --git a/bin/ebuild.sh b/bin/ebuild.sh
23 index c23561651..94a44d534 100755
24 --- a/bin/ebuild.sh
25 +++ b/bin/ebuild.sh
26 @@ -80,8 +80,12 @@ else
27 done
28 unset funcs x
29
30 + # prevent the shell from finding external executables
31 + # note: we can't use empty because it implies current directory
32 + _PORTAGE_ORIG_PATH=${PATH}
33 + export PATH=/dev/null
34 command_not_found_handle() {
35 - die "Command not found while sourcing ebuild: ${*}"
36 + die "External commands disallowed while sourcing ebuild: ${*}"
37 }
38 fi
39
40
41 diff --git a/bin/isolated-functions.sh b/bin/isolated-functions.sh
42 index e320f7132..b28e44f18 100644
43 --- a/bin/isolated-functions.sh
44 +++ b/bin/isolated-functions.sh
45 @@ -121,6 +121,10 @@ __helpers_die() {
46 }
47
48 die() {
49 + # restore PATH since die calls basename & sed
50 + # TODO: make it pure bash
51 + [[ -n ${_PORTAGE_ORIG_PATH} ]] && PATH=${_PORTAGE_ORIG_PATH}
52 +
53 set +x # tracing only produces useless noise here
54 local IFS=$' \t\n'
Report Message
Find on MARC Find on Google Groups