pkg/50752: Sanitize ENV

To: pkg-manager%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,pkgsrc-bugs%netbsd.org@localhost
Subject: pkg/50752: Sanitize ENV
From: jmmv%meroh.net@localhost
Date: Tue, 2 Feb 2016 20:55:00 +0000 (UTC)

>Number:         50752
>Category:       pkg
>Synopsis:       Sanitize ENV
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Feb 02 20:55:00 +0000 2016
>Originator:     Julio Merino
>Release:        pkgsrc as of today
>Organization:
>Environment:
N/A
>Description:
pkgsrc currently does not sanitize the ENV environment variable. As a result, compilations can break at random when ENV is defined by the user and points at a file that won't work within pkgsrc.

Consider, for example:

ENV="${HOME}/.shrc"

where "${HOME}/.shrc" sources another file "${HOME}/foo". When .shrc is read within a pkgsrc build, the script fails because ${HOME}/foo is not valid (because HOME has been reset to point within the package's work directory and thus /foo is missing).

Regardless of this particular example, reading any of the ENV contents within pkgsrc is semantically wrong because arbitrary user settings can affect the build results in unexpected manners so this should be disallowed.
>How-To-Repeat:

>Fix:
The fix is trivial: add ALL_ENV+=ENV= to bsd.pkg.mk so that ENV is cleared during the build. However, I haven't touched pkgsrc internals for a long time so I'm wary of doing this change myself. Filing this PR so this can be tracked and assessed.

Prev by Date: pkg/50753: pkg-config build failure with gcc6 defaults (linux)
Next by Date: pkg/50761: mail/opensmtpd build error on CentOS 6.7
Previous by Thread: pkg/50753: pkg-config build failure with gcc6 defaults (linux)
Next by Thread: Re: pkg/50752: Sanitize ENV
Indexes:

Home | Main Index | Thread Index | Old Index