Using lib argument causes Haxe to access system shell
#10389
Comments
|
I found my workaround a little lacking when the Haxe compiler was run indirectly by other tools. As such, I tried making the needed changes to the compiler myself. The specific function that I was looking at in the ocaml docs is available starting with ocaml 4.08, while Haxe's minimum version is ocaml 4.02. Since I can't use it directly without changing the version dependency, I copied and adapted the new function as a wrapper around If updating the minimum required ocaml version isn't a big deal, now would be a nice time to update. Otherwise, proper attribution for the source of the backported code may need to be included. Since this isn't passed through the shell/cmd anymore, the full path to haxelib needs to be specified, for which I wrote a really simple function to pick the executable up from the path. If this is useful as a starting point, feel free to copy it, or I can create a PR. This change passed all the CI tests on Windows, and I tested the change locally on Linux as well. I grabbed the Windows binary that github actions built and it does what I need it to, so I'm happy. |
|
Looks like I missed a few places. Many of the generators run their specific haxelib, and that goes through Line 674 in fc8633e
Line 6946 in 6eb36b2 |
|
Took care of all the generators. Here's the status of all the places where Haxe invokes the shell, as far as I know.
This does enough for my needs. I don't know if there's any reason to block shell access on Linux as well. If that were the case, the last two would need to be modified as well. For this to actually be useful to anybody, changes will need to be made on the Haxe code side as well for whatever build tooling you happen to use. Haxelib itself, and anything else like hxp, lime, openfl, hxcpp, etc., will need to avoid |
This relates to HaxeFoundation/haxe#10389 This change allows Haxe's basic build tooling to be used even when the system shell is unavailable. `Sys.command` runs processes through the system shell. The 2-argument form of `new Process`, on the other hand, starts processes without going through the shell.
|
I've turned the work I've done here into a PR. |
I'd like to use the Haxe compiler in Windows environments where access to cmd.exe is restricted (which is not uncommon in, for example, schools).
Two arguments passed to the haxe compiler will cause the compiler to invoke cmd.exe to start a new process. These are
cmdandlib.See:
https://ocaml.org/api/Unix.html#VALopen_process_full
https://ocaml.org/api/Unix.html#VALsystem
cmd:haxe/src/compiler/haxe.ml
Line 170 in e70ba87
haxe/src/compiler/haxe.ml
Line 187 in e70ba87
lib:haxe/src/compiler/haxe.ml
Line 111 in e70ba87
I think that
cmdhas the expectation of being passed to the system shell, so it makes sense to simply avoid usingcmdas an argument if shell/interpreter access isn't available. I would expectlib, on the other hand, not to need to use the shell. Is it possible to replaceopen_process_fullwithopen_process_args_fullfor the case oflib?In my case, the Haxe compiler is started from inside an IDE. I can simply have the IDE automatically read the hxml file, find
libarguments, runhaxelib path {libs}, and replace thelibarguments with the appropriate classpaths and defines. Then there will be nocmd.exeaccess and things will work as expected. However, the behavior is a little bit surprising as-is.The text was updated successfully, but these errors were encountered: