[Scons-users] Bash + os.environ is an evil

Pawel Tomulik ptomulik at meil.pw.edu.pl
Fri Apr 4 20:57:39 EDT 2014

Previous message: [Scons-users] Bash + os.environ is an evil
Next message: [Scons-users] Bash + os.environ is an evil
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

William,

W dniu 04.04.2014 17:13, Gary Oberbrunner pisze:

> On Fri, Apr 4, 2014 at 9:45 AM, Paweł Tomulik <ptomulik at meil.pw.edu.pl

> <mailto:ptomulik at meil.pw.edu.pl>> wrote:

>

> Not really a question, just want to share my today's experience.

>

> This code

>

> import os

> env = Environment(ENV = os.environ)

>

> can cause real headache. Especially if SCons is started under bash.

>

> It appears, that os.environ may contain bash functions, for example:

>

> { 'module' : "() { eval `/usr/bin/modulecmd bash \$*`\n}", ... }

>

> The effect is, that SCons executes these functions occasionally when

> executing its actions, especially when configuring with SConf.

>

> ...

>

>

> Hi Paweł; that's the first I've ever heard of shell functions going into

> the shell environment, but I can see it's possible. They are just

> strings of course, but some shells may treat them specially.

>

> However, SCons should NEVER execute those! It should treat all

> os.environ pairs as simple key:value pairs. Perhaps you mean that when

> you export this environment to a subshell and the subshell tries to exec

> 'module', _it_ executes the offending shell function? That of course

> would be possible (though amazingly annoying IMHO, unless someone was

> depending on it).

>

But it does (at least 2.3.0 I use).

There is a place in SCons 2.3.0, which generates commands such as:

env - FOO=foo BAR=bar GEEZ=geez sh -c command

to execute "command". The variable substitutions FOO, BAR, GEEZ are all
generated from env['ENV']. If GEEZ contains a bash function body, for
example, it gets executed.

If you checkout 2.3.0 tag, and look into

src/engine/SCons/Platform/posix.py

you'll see a function named _get_env_command() which is the root of all
cause:

def _get_env_command(sh, escape, cmd, args, env):
s = ' '.join(args)
if env:
l = ['env', '-'] + \
[escape(t[0])+'='+escape(t[1]) for t in env.items()] + \
[sh, '-c', escape(s)]
s = ' '.join(l)
return s

I see that posix.py changed in the meantime so it may be no longer an
issue, but I faced it on 2.3.0.

> --

> Gary

>

>

> _______________________________________________

> Scons-users mailing list

> Scons-users at scons.org

> http://four.pairlist.net/mailman/listinfo/scons-users

>

Regards!

--
Paweł Tomulik

Previous message: [Scons-users] Bash + os.environ is an evil
Next message: [Scons-users] Bash + os.environ is an evil
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Scons-users mailing list