Rewrite LC_PATH that does not start with '@'

I've seen at least one wheel on PyPI that contains a library with an absolute path in LC_RPATH. Those are a no-no for standalone bundles as this can cause the bundle to load a file outside of the bundle.
ronaldoussoren · Jul 10, 2024 · 3255fa6 · 3255fa6
1 parent 1de8460
commit 3255fa6
Showing 1 changed file with 20 additions and 0 deletions.
diff --git a/src/py2app/_standalone.py b/src/py2app/_standalone.py
@@ -266,6 +266,26 @@ def changefunc(name: str) -> str:
             return result
 
         changed = m.rewriteLoadCommands(changefunc)
+
+        # Check for LC_RPATH entries that refer to absolute paths, those result in bundles
+        # that can load libraries outside of the bundle. Seen in at least one wheel on PyPI.
+        for header in m.headers:
+            for idx, (lc, cmd, data) in enumerate(header.commands):
+                if lc.cmd == macholib.mach_o.LC_RPATH:
+                    assert isinstance(cmd, macholib.mach_o.rpath_command)
+                    path = macholib.MachO.lc_str_value(
+                        cmd.path, (lc, cmd, data)
+                    ).decode()
+                    if path.startswith("@"):
+                        continue
+
+                    progress.warning(
+                        f"{str(current)!r}: replacing non-portable LC_RPATH entry {path!r}"
+                    )
+                    header.rewriteDataForCommand(idx, b"@executable_path/../Frameworks")
+
+                    changed = True
+
         if changed:
             rewrite_headers(current, m)