From 77fa336849704071d068ecc199e6fbbbb85d9546 Mon Sep 17 00:00:00 2001 From: Profpatsch Date: Sat, 23 Apr 2016 17:19:19 +0200 Subject: [PATCH 1/2] setup.hs: substitute uses only valid bash names bash variable names may only contain alphanumeric ASCII-symbols and _, and must not start with a number. Nix expression attribute names however might contain nearly every character (in particular spaces and dashes). Previously, a substitution that was not a valid bash name would be expanded to an empty string. This commit introduce a check that throws a (hopefully) helpful error when a wrong name is used in a substitution. --- pkgs/stdenv/generic/setup.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/pkgs/stdenv/generic/setup.sh b/pkgs/stdenv/generic/setup.sh index 9399ff7a7643..f7f9cd533c1f 100644 --- a/pkgs/stdenv/generic/setup.sh +++ b/pkgs/stdenv/generic/setup.sh @@ -408,6 +408,11 @@ substitute() { if [ "$p" = --subst-var ]; then varName="${params[$((n + 1))]}" + # check if the used nix attribute name is a valid bash name + if ! [[ "$varName" =~ ^[a-zA-Z_]+[a-zA-Z0-9_]*$ ]]; then + echo "substitution variables must be valid bash names, \"$varName\" isn't." + exit 1; + fi pattern="@$varName@" replacement="${!varName}" n=$((n + 1)) @@ -439,6 +444,7 @@ substituteAll() { local output="$2" # Select all environment variables that start with a lowercase character. + # Will not work with nix attribute names (and thus env variables) containing '\n'. for envVar in $(env | sed -e $'s/^\([a-z][^=]*\)=.*/\\1/; t \n d'); do if [ "$NIX_DEBUG" = "1" ]; then echo "$envVar -> ${!envVar}" From a2d38bc7fc271ca5452ec3fd057bca3f737aa9ae Mon Sep 17 00:00:00 2001 From: Profpatsch Date: Sat, 23 Apr 2016 17:55:20 +0200 Subject: [PATCH 2/2] doc/stdenv.xml document substitution env variables The filtering of environment variables that start with an uppercase letter is documented in the manual. --- doc/stdenv.xml | 10 +++++++++- pkgs/build-support/substitute/substitute-all.nix | 1 + pkgs/stdenv/generic/setup.sh | 2 +- 3 files changed, 11 insertions(+), 2 deletions(-) diff --git a/doc/stdenv.xml b/doc/stdenv.xml index 136e83ee0cda..8129dda5a37e 100644 --- a/doc/stdenv.xml +++ b/doc/stdenv.xml @@ -1169,7 +1169,15 @@ PATH=/nix/store/68afga4khv0w...-coreutils-6.12/bin echo @foo@ - That is, no substitution is performed for undefined variables. + That is, no substitution is performed for undefined variables. + + Environment variables that start with an uppercase letter are filtered out, + to prevent global variables (like HOME) from accidentally + getting substituted. + The variables also have to be valid bash “names”, as + defined in the bash manpage (alphanumeric or _, must not + start with a number). + diff --git a/pkgs/build-support/substitute/substitute-all.nix b/pkgs/build-support/substitute/substitute-all.nix index fb26894661d9..1022b25c4c9b 100644 --- a/pkgs/build-support/substitute/substitute-all.nix +++ b/pkgs/build-support/substitute/substitute-all.nix @@ -2,6 +2,7 @@ args: +# see the substituteAll in the nixpkgs documentation for usage and constaints stdenv.mkDerivation ({ name = if args ? name then args.name else baseNameOf (toString args.src); builder = ./substitute-all.sh; diff --git a/pkgs/stdenv/generic/setup.sh b/pkgs/stdenv/generic/setup.sh index f7f9cd533c1f..a183aabed0e3 100644 --- a/pkgs/stdenv/generic/setup.sh +++ b/pkgs/stdenv/generic/setup.sh @@ -445,7 +445,7 @@ substituteAll() { # Select all environment variables that start with a lowercase character. # Will not work with nix attribute names (and thus env variables) containing '\n'. - for envVar in $(env | sed -e $'s/^\([a-z][^=]*\)=.*/\\1/; t \n d'); do + for envVar in $(set | sed -e $'s/^\([a-z][^=]*\)=.*/\\1/; t \n d'); do if [ "$NIX_DEBUG" = "1" ]; then echo "$envVar -> ${!envVar}" fi