Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't allow PONYPATH to override standard library #3780

Merged
merged 1 commit into from
Jul 6, 2021
Merged

Don't allow PONYPATH to override standard library #3780

merged 1 commit into from
Jul 6, 2021

Conversation

SeanTAllen
Copy link
Member

Prior to this change, a library could contain a package called builtin
that would override to standard library version. This could be an attack
vector. You can still override the standard library location by using the
ponyc --paths option.

Any code which relied on the PONYPATH items being before the standard
library in the package search path will need to switch to using --paths
on the ponyc command line.

Closes #3779

@SeanTAllen SeanTAllen added the changelog - changed Automatically add "Changed" CHANGELOG entry on merge label Jul 6, 2021
@SeanTAllen SeanTAllen requested a review from a team July 6, 2021 12:15
@SeanTAllen
Don't allow PONYPATH to override standard library
ccf6acf 
Prior to this change, a library could contain a package called `builtin`
that would override to standard library version. This could be an attack
vector. You can still override the standard library location by using the
ponyc `--paths` option.

Any code which relied on the PONYPATH items being before the standard
library in the package search path will need to switch to using `--paths`
on the ponyc command line.

Closes #3779
Theodus
Theodus approved these changes Jul 6, 2021
View reviewed changes
Copy link
Contributor

@Theodus Theodus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me. Thanks!

@SeanTAllen SeanTAllen merged commit 6b3f369 into main Jul 6, 2021
@SeanTAllen SeanTAllen deleted the issue-3779 branch July 6, 2021 13:05
github-actions bot pushed a commit that referenced this pull request Jul 6, 2021
@ponylang-main
Updates release notes for PR #3780
748bc64
github-actions bot pushed a commit that referenced this pull request Jul 6, 2021
@ponylang-main
Update CHANGELOG for PR #3780
7bae660
@redvers redvers mentioned this pull request Jul 7, 2021
Merged
11 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Theodus Theodus Theodus approved these changes

@ergl ergl ergl approved these changes

Assignees
No one assigned
Labels
changelog - changed Automatically add "Changed" CHANGELOG entry on merge
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

ponyc --safe and builtin library security bypass.
3 participants
@SeanTAllen @ergl @Theodus