[Scons-users] Bash + os.environ is an evil

Tom Tanner (BLOOMBERG/ LONDON) ttanner2 at bloomberg.net
Tue Apr 8 04:53:17 EDT 2014


This part of posix.py was changed in 2.3.1 (most of that code was discarded and escape is no longer called, as subprocess is called directly and the env parameters are passed to that). So it *may* be fixed in 2.3.1

----- Original Message -----
From: scons-users at scons.org
To: scons-users at scons.org
At: Apr 5 2014 02:13:02

William,

W dniu 04.04.2014 17:13, Gary Oberbrunner pisze:

> On Fri, Apr 4, 2014 at 9:45 AM, Paweł Tomulik <ptomulik at meil.pw.edu.pl

> <mailto:ptomulik at meil.pw.edu.pl>> wrote:

>

> Not really a question, just want to share my today's experience.

>

> This code

>

> import os

> env = Environment(ENV = os.environ)

>

> can cause real headache. Especially if SCons is started under bash.

>

> It appears, that os.environ may contain bash functions, for example:

>

> { 'module' : "() { eval `/usr/bin/modulecmd bash \$*`\n}", ... }

>

> The effect is, that SCons executes these functions occasionally when

> executing its actions, especially when configuring with SConf.

>

> ...

>

>

> Hi Paweł; that's the first I've ever heard of shell functions going into

> the shell environment, but I can see it's possible. They are just

> strings of course, but some shells may treat them specially.

>

> However, SCons should NEVER execute those! It should treat all

> os.environ pairs as simple key:value pairs. Perhaps you mean that when

> you export this environment to a subshell and the subshell tries to exec

> 'module', _it_ executes the offending shell function? That of course

> would be possible (though amazingly annoying IMHO, unless someone was

> depending on it).

>



But it does (at least 2.3.0 I use).

There is a place in SCons 2.3.0, which generates commands such as:

env - FOO=foo BAR=bar GEEZ=geez sh -c command

to execute "command". The variable substitutions FOO, BAR, GEEZ are all
generated from env['ENV']. If GEEZ contains a bash function body, for
example, it gets executed.

If you checkout 2.3.0 tag, and look into

src/engine/SCons/Platform/posix.py

you'll see a function named _get_env_command() which is the root of all
cause:

def _get_env_command(sh, escape, cmd, args, env):
s = ' '.join(args)
if env:
l = ['env', '-'] + \
[escape(t[0])+'='+escape(t[1]) for t in env.items()] + \
[sh, '-c', escape(s)]
s = ' '.join(l)
return s

I see that posix.py changed in the meantime so it may be no longer an
issue, but I faced it on 2.3.0.



> --

> Gary

>

>

> _______________________________________________

> Scons-users mailing list

> Scons-users at scons.org

> http://four.pairlist.net/mailman/listinfo/scons-users

>


Regards!

--
Paweł Tomulik

_______________________________________________
Scons-users mailing list
Scons-users at scons.org
http://four.pairlist.net/mailman/listinfo/scons-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://four.pairlist.net/pipermail/scons-users/attachments/20140408/98b0cee4/attachment.htm


More information about the Scons-users mailing list