1 |
On 5/26/20 1:43 AM, Alec Warner wrote: |
2 |
> On Mon, May 25, 2020 at 9:34 PM Zac Medico <zmedico@g.o |
3 |
> <mailto:zmedico@g.o>> wrote: |
4 |
> |
5 |
> Since variables like A and AA can contain extremely large values which |
6 |
> may trigger E2BIG errors during attempts to execute subprocesses, delay |
7 |
> export until the last moment, and unexport when appropriate. |
8 |
> |
9 |
> |
10 |
> So I think if you want to do this because PMS says: |
11 |
> AA should not be visible in EAPI > 3. |
12 |
> A should only be visible in src_*, pkg_nofetch. |
13 |
> |
14 |
> That part of the patch makes sense to me. The part that is confusing to |
15 |
> me is the 'delay' part; can you explain that further? When you say |
16 |
> "delay until the last moment" what do you mean by that and what value is |
17 |
> it delivering? |
18 |
|
19 |
If we export an environment variable which contains an extremely large |
20 |
value, then there's a vulnerability in execve which causes it to fail |
21 |
with an E2BIG error. Since A and AA values can easily grow large enough |
22 |
to trigger this vulnerability, portage can protect itself from execve |
23 |
failures by delaying the export until the moment that it hands control |
24 |
to the ebuild phase. |
25 |
|
26 |
> Is it simply that we don't export these variables on the python side, |
27 |
> and we only use them in the shell portion? |
28 |
|
29 |
That's correct. Here's a test case which demonstrates the E2BIG error, |
30 |
and shows that 'export -n A' can suppress it: |
31 |
|
32 |
$ A=$(dd if=/dev/zero bs=1M count=1 | tr '\0' ' ') |
33 |
10+0 records in |
34 |
10+0 records out |
35 |
10485760 bytes (10 MB, 10 MiB) copied, 0.086557 s, 121 MB/s |
36 |
$ echo ${#A} |
37 |
10485760 |
38 |
$ export A |
39 |
$ ls |
40 |
bash: /bin/ls: Argument list too long |
41 |
$ export -n A |
42 |
$ /bin/echo hello world |
43 |
hello world |
44 |
|
45 |
-- |
46 |
Thanks, |
47 |
Zac |