Merge pull request #36400 from azat/dyn-linker-vars

Add more harmful variables for OSX
2024-09-19 16:20:50 +00:00 · 2022-04-21 00:02:51 +02:00 · 2022-04-21 00:02:51 +02:00 · 2f38e7bc5c
commit 2f38e7bc5c
parent a7318b3a96 828d23c933
3 changed files with 36 additions and 3 deletions
--- a/programs/main.cpp
+++ b/programs/main.cpp
@ -334,11 +334,24 @@ struct Checker
 #endif
 ;

+/// NOTE: We will migrate to full static linking or our own dynamic loader to make this code obsolete.
 void checkHarmfulEnvironmentVariables()
 {
-    /// The list is a selection from "man ld-linux". And one variable that is Mac OS X specific.
-    /// NOTE: We will migrate to full static linking or our own dynamic loader to make this code obsolete.
-    for (const auto * var : {"LD_PRELOAD", "LD_LIBRARY_PATH", "LD_ORIGIN_PATH", "LD_AUDIT", "LD_DYNAMIC_WEAK", "DYLD_INSERT_LIBRARIES"})
+    std::initializer_list<const char *> harmful_env_variables = {
+        /// The list is a selection from "man ld-linux".
+        "LD_PRELOAD",
+        "LD_LIBRARY_PATH",
+        "LD_ORIGIN_PATH",
+        "LD_AUDIT",
+        "LD_DYNAMIC_WEAK",
+        /// The list is a selection from "man dyld" (osx).
+        "DYLD_LIBRARY_PATH",
+        "DYLD_FALLBACK_LIBRARY_PATH",
+        "DYLD_VERSIONED_LIBRARY_PATH",
+        "DYLD_INSERT_LIBRARIES",
+    };
+
+    for (const auto * var : harmful_env_variables)
    {
        if (const char * value = getenv(var); value && value[0])
        {
--- a/tests/queries/0_stateless/02280_dynamic_linker_env.reference
+++ b/tests/queries/0_stateless/02280_dynamic_linker_env.reference
@ -0,0 +1,2 @@
+1
+1
--- a/tests/queries/0_stateless/02280_dynamic_linker_env.sh
+++ b/tests/queries/0_stateless/02280_dynamic_linker_env.sh
@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+
+CUR_DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)
+# shellcheck source=../shell_config.sh
+. "$CUR_DIR"/../shell_config.sh
+
+static=$($CLICKHOUSE_LOCAL -q "SELECT value IN ('ON', '1') FROM system.build_options WHERE name = 'STATIC'")
+
+clickhouse-local -q 'select 1'
+
+if [ "$static" -eq 1 ]; then
+    # "grep -c" will also gives "1"
+    LD_LIBRARY_PATH=/ clickhouse-local -q 'select 1' |& grep -x -F -c 'Environment variable LD_LIBRARY_PATH is set to /. It can compromise security.'
+else
+    # works because it does not uses main.cpp entrypoint
+    # (due to shared build is always splitted, and non-splitted will have lots of ODR issues)
+    LD_LIBRARY_PATH=/ clickhouse-local -q 'select 1'
+fi