Guard Against Empty $CLASSPATH

Previously, the classpath linking script would only guard against $CLASSPATH not being set. This could result in an empty value creating an invalid (and possibly security vulnerable) ln command. This change updates the guard to also return early if the env var is set but empty. [#2] Signed-off-by: Ben Hale <[email protected]>
paketo-buildpacks · May 26, 2020 · f4541dc · f4541dc
1 parent bd3057f
commit f4541dc
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 3 deletions.
diff --git a/tomcat/base_test.go b/tomcat/base_test.go
@@ -110,7 +110,7 @@ printf "Tomcat Access Logging enabled\n"
 
 export JAVA_OPTS="${JAVA_OPTS} -Daccess.logging.enabled=true"
 `))
-		Expect(layer.Profile["classpath.sh"]).To(Equal(fmt.Sprintf(`[[ -z "${CLASSPATH+x}" ]] && return
+		Expect(layer.Profile["classpath.sh"]).To(Equal(fmt.Sprintf(`[[ -z "${CLASSPATH}" ]] && return
 
 printf "Linking \${CLASSPATH} entries to %%s\n" "%[1]s"
 

diff --git a/tomcat/classpath.sh b/tomcat/classpath.sh
@@ -1,4 +1,4 @@
-[[ -z "${CLASSPATH+x}" ]] && return
+[[ -z "${CLASSPATH}" ]] && return
 
 printf "Linking \${CLASSPATH} entries to %s\n" "{{.path}}"
 

diff --git a/tomcat/statik/statik.go b/tomcat/statik/statik.go