-
-
Notifications
You must be signed in to change notification settings - Fork 11.1k
Description
I've noticed your fix for the path vulnerability, thanks for this!
I was wondering if it is now also possible to manually set PREFIX/OPENSSLDIR/--prefix= to a custom, Windows path in a cross-build scenario. That case fails with the last stable releases, Windows absolute paths being misdetected as relative ones, making the build process bail out early with the error: Directory given with --prefix MUST be absolute. Another issue was that when passing a prefix containing spaces, the build process broke due to unquoted build paths that got the prefix appended to them. I could only fix the first issue by patching Configure, and the second one by using C:/Windows/ prefix, which contains no spaces.
So, I've made a cross-compile test (from macOS to mingw64) with the latest master, and experienced the same error as before:
./Configure mingw64 \
--cross-compile-prefix=x86_64-w64-mingw32- \
--prefix=C:/Windows/System32/OpenSSLOutput:
Failure! build file wasn't produced.
Please read INSTALL and associated NOTES files. You may also have to look over
your available compiler tool chain or change your configuration.
Directory given with --prefix MUST be absolute
The one with a vulnerable-on-Windows *nix path builds fine:
./Configure mingw64 \
--cross-compile-prefix=x86_64-w64-mingw32- \
--prefix=/usr/localThe check is done in lines below in Configure, and it uses a bare call into Perl's native file_name_is_absolute(), where that function only works correctly on paths matching Perl's platform, which is in this case:This is perl 5, version 30, subversion 0 (v5.30.0) built for darwin-thread-multi-2level.
elsif (/^[-+]/)
{
if (/^--prefix=(.*)$/)
{
$config{prefix}=$1;
die "Directory given with --prefix MUST be absolute\n"
unless file_name_is_absolute($config{prefix});
}The original of this thread started here:
#9400 (comment)
/cc @levitte