bisect-runner.pl needs to set DYLD_LIBRARY_PATH on macOS

El Capitan (OS X 10.11) (and later) strip DYLD_LIBRARY_PATH from the environment of /bin/sh, hence setting the existing code that sets this in %ENV assuming that it is visible to the invoked process no longer works. We have to be explicit in every invocation, as part of the command that the shell itself is processing. This hurts us because in 5.8.0 and earlier the hints default macOS to build a shared perl library.
author: Nicholas Clark <nick@ccl4.org> 2022-08-02 10:23:15 +0200
committer: Yves Orton <demerphq@gmail.com> 2023-02-11 07:17:42 +0100
commit: 7aa54fe19fcfbd642dc14bdd8b40ec86982aacc2 (patch)
tree: 1cf8c78f6f21ea03d9bacb0272c8dc3959906eb1 /Porting
parent: 7d994703dedf28a09a41810269ad0810e55096cb (diff)
download: perl-7aa54fe19fcfbd642dc14bdd8b40ec86982aacc2.tar.gz
1 files changed, 65 insertions, 2 deletions
diff --git a/Porting/bisect-runner.pl b/Porting/bisect-runner.pl
index 58a40531bd..4924f93d69 100755
--- a/Porting/bisect-runner.pl
+++ b/Porting/bisect-runner.pl
@@ -86,7 +86,24 @@ exit 255 unless $rv;
 
 my ($target, $match) = @options{qw(target match)};
 
-@ARGV = ('sh', '-c', 'cd t && ./perl TEST base/*.t')
+# El Capitan (OS X 10.11) (and later) strip DYLD_LIBRARY_PATH
+# from the environment of /bin/sh
+# https://developer.apple.com/library/archive/documentation/Security/Conceptual/System_Integrity_Protection_Guide/RuntimeProtections/RuntimeProtections.html
+#
+# (They *could* have chosen instead to ignore it and pass it through. It would
+# have the same direct effect, but maybe needing more coding. I suspect the
+# choice to strip it was deliberate, as it will also eliminate a bunch more
+# attack vectors, because it prevents you sneaking an override "into" something
+# else you convince the user to run.)
+
+my $aggressive_apple_security = "";
+if ($^O eq 'darwin') {
+    require Cwd;
+    my $cwd = quotemeta Cwd::getcwd();
+    $aggressive_apple_security = "DYLD_LIBRARY_PATH=$cwd ";
+}
+
+@ARGV = ('sh', '-c', "cd t && $aggressive_apple_security./perl TEST base/*.t")
     if $options{validate} && !@ARGV;
 
 pod2usage(exitval => 0, verbose => 2) if $options{usage};
@@ -123,7 +140,7 @@ if (defined $target && $target =~ /\.t\z/) {
     unless ($target =~ s!\At/!!) {
         $target = "../$target";
     }
-    @ARGV = ('sh', '-c', "cd t && ./perl TEST " . quotemeta $target);
+    @ARGV = ('sh', '-c', "cd t && $aggressive_apple_security./perl TEST " . quotemeta $target);
     $target = 'test_prep';
 }
 
@@ -1691,6 +1708,7 @@ if ($options{'all-fixups'}) {
     patch_SH();
     patch_C();
     patch_ext();
+    patch_t();
 }
 apply_fixups($options{'early-fixup'});
 
@@ -1824,6 +1842,7 @@ if($options{'force-regen'}
 unless ($options{'all-fixups'}) {
     patch_C();
     patch_ext();
+    patch_t();
 }
 
 # Parallel build for miniperl is safe
@@ -3424,6 +3443,38 @@ $2!;
         }
     }
 
+    if ($^O eq 'darwin' && ($major < 8
+                                || ($major < 10
+                                    && !extract_from_file('ext/DynaLoader/Makefile.PL',
+                                                          qr/sub MY::static /)))) {
+        my $cwd = Cwd::getcwd();
+        my $wrapper = 'miniperl.sh';
+        my $fh = open_or_die($wrapper, '>');
+        print $fh <<"EOT";
+#!/bin/sh
+${aggressive_apple_security}exec $cwd/miniperl "\$\@"
+EOT
+        close_or_die($fh);
+        chmod 0755, $wrapper
+            or die "Couldn't chmod 0755 $wrapper: $!";
+
+        edit_file('ext/util/make_ext', sub {
+                      my $code = shift;
+                      # This is shell expansion syntax
+                      $code =~ s{ (\.\./\$depth/miniperl) }
+                                { $1.sh };
+                      # This is actually the same line as edited above.
+                      # We need this because (yay), without this EU::MM will
+                      # default to searching for a working perl binary
+                      # (sensible plan) but due to macOS stripping
+                      # DYLD_LIBRARY_PATH during system(...), .../miniperl
+                      # (as found from $^X) *isn't* going to work.
+                      $code =~ s{ (Makefile\.PL INSTALLDIRS=perl) }
+                                { $1 PERL=\.\./\$depth/miniperl.sh };
+                      return $code;
+                  });
+    }
+
     if ($^O eq 'aix' && $major >= 8 && $major < 28
         && extract_from_file('Makefile.SH', qr!\Q./$(MINIPERLEXP) makedef.pl\E.*aix!)) {
         # This is a variant the AIX part of commit 72bbce3da5eeffde:
@@ -4544,6 +4595,18 @@ EOPATCH
     }
 }
 
+sub patch_t {
+    if ($^O eq 'darwin') {
+        # This has # $x = `$^X -le "print 'hi there'"`;
+        # and it needs to pass for the automated validation self-test:
+        edit_file('t/base/term.t', sub {
+                      my $code = shift;
+                      $code =~ s/`(\$\^X )/`$aggressive_apple_security$1/;
+                      return $code;
+                  });
+    }
+}
+
 sub apply_fixups {
     my $fixups = shift;
     return unless $fixups;
author	Nicholas Clark <nick@ccl4.org>	2022-08-02 10:23:15 +0200
committer	Yves Orton <demerphq@gmail.com>	2023-02-11 07:17:42 +0100
commit	7aa54fe19fcfbd642dc14bdd8b40ec86982aacc2 (patch)
tree	1cf8c78f6f21ea03d9bacb0272c8dc3959906eb1 /Porting
parent	7d994703dedf28a09a41810269ad0810e55096cb (diff)
download	perl-7aa54fe19fcfbd642dc14bdd8b40ec86982aacc2.tar.gz