From e3ce89324da1e33c17c9180ef846f41d92616254 Mon Sep 17 00:00:00 2001 From: Haixiao Yan Date: Tue, 16 Sep 2025 21:19:18 +0800 Subject: buildtools-tarball: fix unbound variable issues under 'set -u' When Bash runs with 'set -u' (nounset), accessing an unset variable directly (e.g. [ -z "$SSL_CERT_FILE" ]) causes a fatal "unbound variable" error. As a result, the fallback logic to set SSL_CERT_FILE/SSL_CERT_DIR is never triggered and the script aborts. The current code assumes these variables may be unset or empty, but does not guard against 'set -u'. This breaks builds in stricter shell environments or when users explicitly enable 'set -u'. Fix this by using parameter expansion with a default value, e.g. "${SSL_CERT_FILE:-}", so that unset variables are treated as empty strings. This preserves the intended logic (respect host env first, then CAFILE/CAPATH, then buildtools defaults) and makes the script robust under 'set -u'. (From OE-Core rev: 4cf131ebd157b79226533b5a5074691dd0e1a4ab) Signed-off-by: Haixiao Yan Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie (cherry picked from commit 4d880c2eccd534133a2a4e6579d955605c0956ec) Signed-off-by: Steve Sakoman --- .../openssl/files/environment.d-openssl.sh | 24 +++++++++++----------- meta/recipes-devtools/git/git/environment.d-git.sh | 8 ++++---- .../environment.d-python3-requests.sh | 4 ++-- .../curl/curl/environment.d-curl.sh | 8 ++++---- 4 files changed, 22 insertions(+), 22 deletions(-) diff --git a/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh b/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh index c635be8aca..d72edcb5ed 100644 --- a/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh +++ b/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh @@ -4,20 +4,20 @@ export OPENSSL_ENGINES="$OECORE_NATIVE_SYSROOT/usr/lib/engines-3" # Respect host env SSL_CERT_FILE/SSL_CERT_DIR first, then auto-detected host cert, then cert in buildtools # CAFILE/CAPATH is auto-deteced when source buildtools -if [ -z "$SSL_CERT_FILE" ]; then - if [ -n "$CAFILE" ];then - export SSL_CERT_FILE="$CAFILE" - elif [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then - export SSL_CERT_FILE="$OECORE_NATIVE_SYSROOT/usr/lib/ssl/certs/ca-certificates.crt" - fi +if [ -z "${SSL_CERT_FILE:-}" ]; then + if [ -n "${CAFILE:-}" ];then + export SSL_CERT_FILE="$CAFILE" + elif [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then + export SSL_CERT_FILE="$OECORE_NATIVE_SYSROOT/usr/lib/ssl/certs/ca-certificates.crt" + fi fi -if [ -z "$SSL_CERT_DIR" ]; then - if [ -n "$CAPATH" ];then - export SSL_CERT_DIR="$CAPATH" - elif [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then - export SSL_CERT_DIR="$OECORE_NATIVE_SYSROOT/usr/lib/ssl/certs" - fi +if [ -z "${SSL_CERT_DIR:-}" ]; then + if [ -n "${CAPATH:-}" ];then + export SSL_CERT_DIR="$CAPATH" + elif [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then + export SSL_CERT_DIR="$OECORE_NATIVE_SYSROOT/usr/lib/ssl/certs" + fi fi export BB_ENV_PASSTHROUGH_ADDITIONS="${BB_ENV_PASSTHROUGH_ADDITIONS:-} SSL_CERT_DIR SSL_CERT_FILE" diff --git a/meta/recipes-devtools/git/git/environment.d-git.sh b/meta/recipes-devtools/git/git/environment.d-git.sh index 9c7b5a9251..fdfa721c3b 100644 --- a/meta/recipes-devtools/git/git/environment.d-git.sh +++ b/meta/recipes-devtools/git/git/environment.d-git.sh @@ -1,15 +1,15 @@ # Respect host env GIT_SSL_CAINFO/GIT_SSL_CAPATH first, then auto-detected host cert, then cert in buildtools # CAFILE/CAPATH is auto-deteced when source buildtools -if [ -z "$GIT_SSL_CAINFO" ]; then - if [ -n "$CAFILE" ];then +if [ -z "${GIT_SSL_CAINFO:-}" ]; then + if [ -n "${CAFILE:-}" ];then export GIT_SSL_CAINFO="$CAFILE" elif [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then export GIT_SSL_CAINFO="${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" fi fi -if [ -z "$GIT_SSL_CAPATH" ]; then - if [ -n "$CAPATH" ];then +if [ -z "${GIT_SSL_CAPATH:-}" ]; then + if [ -n "${CAPATH:-}" ];then export GIT_SSL_CAPATH="$CAPATH" elif [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then export GIT_SSL_CAPATH="${OECORE_NATIVE_SYSROOT}/etc/ssl/certs" diff --git a/meta/recipes-devtools/python/python3-requests/environment.d-python3-requests.sh b/meta/recipes-devtools/python/python3-requests/environment.d-python3-requests.sh index 492177a9c3..400972814b 100644 --- a/meta/recipes-devtools/python/python3-requests/environment.d-python3-requests.sh +++ b/meta/recipes-devtools/python/python3-requests/environment.d-python3-requests.sh @@ -1,7 +1,7 @@ # Respect host env REQUESTS_CA_BUNDLE first, then auto-detected host cert, then cert in buildtools # CAFILE/CAPATH is auto-deteced when source buildtools -if [ -z "$REQUESTS_CA_BUNDLE" ]; then - if [ -n "$CAFILE" ];then +if [ -z "${REQUESTS_CA_BUNDLE:-}" ]; then + if [ -n "${CAFILE:-}" ];then export REQUESTS_CA_BUNDLE="$CAFILE" elif [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then export REQUESTS_CA_BUNDLE="${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" diff --git a/meta/recipes-support/curl/curl/environment.d-curl.sh b/meta/recipes-support/curl/curl/environment.d-curl.sh index 7c2971b3da..581108ef35 100644 --- a/meta/recipes-support/curl/curl/environment.d-curl.sh +++ b/meta/recipes-support/curl/curl/environment.d-curl.sh @@ -1,15 +1,15 @@ # Respect host env CURL_CA_BUNDLE/CURL_CA_PATH first, then auto-detected host cert, then cert in buildtools # CAFILE/CAPATH is auto-deteced when source buildtools -if [ -z "$CURL_CA_PATH" ]; then - if [ -n "$CAFILE" ];then +if [ -z "${CURL_CA_PATH:-}" ]; then + if [ -n "${CAFILE:-}" ];then export CURL_CA_BUNDLE="$CAFILE" elif [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then export CURL_CA_BUNDLE="${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" fi fi -if [ -z "$CURL_CA_PATH" ]; then - if [ -n "$CAPATH" ];then +if [ -z "${CURL_CA_PATH:-}" ]; then + if [ -n "${CAPATH:-}" ];then export CURL_CA_PATH="$CAPATH" elif [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then export CURL_CA_PATH="${OECORE_NATIVE_SYSROOT}/etc/ssl/certs" -- cgit v1.2.3-54-g00ecf