Add unset of environment variables (conda#1082)

lrandersson · web-flow · commit c4bd53697077 · 2025-10-22T08:08:44.000-07:00
* Add news

* Add unset of environment variables

* Verify expected environment variables are unset

* Unset env vars also for pkg installers

* Fix typo with OR instead of AND

* Fix formatting

* Remove uses of OLD_LD_LIBRARY_PATH

* Add suggestion to news
diff --git a/constructor/header.sh b/constructor/header.sh
@@ -10,10 +10,9 @@
 set -eu
 
 {%- if osx %}
-unset DYLD_LIBRARY_PATH DYLD_FALLBACK_LIBRARY_PATH
+unset DYLD_LIBRARY_PATH DYLD_FALLBACK_LIBRARY_PATH DYLD_INSERT_LIBRARIES DYLD_FRAMEWORK_PATH
 {%- else %}
-export OLD_LD_LIBRARY_PATH="${LD_LIBRARY_PATH:-}"
-unset LD_LIBRARY_PATH
+unset LD_LIBRARY_PATH LD_PRELOAD LD_AUDIT
 {%- endif %}
 
 if ! echo "$0" | grep '\.sh$' > /dev/null; then
diff --git a/constructor/osx/run_installation.sh b/constructor/osx/run_installation.sh
@@ -20,7 +20,7 @@ logger -p "install.info" "$1" || echo "$1"
 
 {%- set channels = final_channels|join(",") %}
 
-unset DYLD_LIBRARY_PATH
+unset DYLD_LIBRARY_PATH DYLD_FALLBACK_LIBRARY_PATH DYLD_INSERT_LIBRARIES DYLD_FRAMEWORK_PATH
 
 PREFIX="$2/{{ pkg_name_lower }}"
 PREFIX=$(cd "$PREFIX"; pwd)
diff --git a/examples/grin/hello.sh b/examples/grin/hello.sh
@@ -3,4 +3,3 @@ set -euxo pipefail
 
 echo "Hello: PREFIX='$PREFIX'"
 echo "LD_LIBRARY_PATH: ${LD_LIBRARY_PATH:-}"
-echo "OLD_LD_LIBRARY_PATH: ${OLD_LD_LIBRARY_PATH:-}"
diff --git a/examples/scripts/post_install.sh b/examples/scripts/post_install.sh
@@ -23,12 +23,43 @@ test "${CUSTOM_VARIABLE_2}" = '$ECOND-CUSTOM_'\''STRING'\'' WITH SPACES AND @*!
 
 test "${INSTALLER_UNATTENDED}" = "1"
 
-if [[ $(uname -s) == Linux ]]; then
+# Print to stderr if any of the input variables are set, and returns 1 - otherwise 0.
+# Note that variables that are set but are empty strings will also trigger an error.
+# All input variables are checked before exit.
+verify_var_is_unset() {
+    local failed=0
+    for var in "$@"; do
+        if [[ -n "${!var+x}" ]]; then
+            echo "Error: environment variable $var must be unset." >&2
+            failed=1
+        fi
+    done
+    return $failed
+}
+
+if [[ $(uname -s) == "Linux" ]]; then
     if [[ ${INSTALLER_PLAT} != linux-* ]]; then
+        echo "Error: INSTALLER_PLAT must match 'linux-*' on Linux systems."
+        exit 1
+    fi
+
+    if ! verify_var_is_unset LD_LIBRARY_PATH LD_PRELOAD LD_AUDIT; then
+        echo "Error: One or more of LD_LIBRARY_PATH, LD_PRELOAD, or LD_AUDIT are set."
         exit 1
     fi
+
 else  # macOS
     if [[ ${INSTALLER_PLAT} != osx-* ]]; then
+        echo "Error: INSTALLER_PLAT must match 'osx-*' on macOS systems."
+        exit 1
+    fi
+
+    if ! verify_var_is_unset \
+        DYLD_LIBRARY_PATH \
+        DYLD_FALLBACK_LIBRARY_PATH \
+        DYLD_INSERT_LIBRARIES \
+        DYLD_FRAMEWORK_PATH; then
+        echo "Error: One or more DYLD_* environment variables are set."
         exit 1
     fi
 fi
diff --git a/news/1082-unset-variables b/news/1082-unset-variables
@@ -0,0 +1,19 @@
+### Enhancements
+
+* Unset additional environment variables in shell-based installers to avoid accidental loading of external libraries. (#1082)
+
+### Bug fixes
+
+* <news item>
+
+### Deprecations
+
+* <news item>
+
+### Docs
+
+* <news item>
+
+### Other
+
+* <news item>

Original file line number	Diff line number	Diff line change
`@@ -3,4 +3,3 @@ set -euxo pipefail`
`3`	`3`
`4`	`4`	`echo "Hello: PREFIX='$PREFIX'"`
`5`	`5`	`echo "LD_LIBRARY_PATH: ${LD_LIBRARY_PATH:-}"`
`6`		`-echo "OLD_LD_LIBRARY_PATH: ${OLD_LD_LIBRARY_PATH:-}"`