fix: Don't use EXEPATH unless it is absolute

EliahKagan · EliahKagan · commit 9000a848cfd9 · 2025-08-18T18:20:53.000-04:00
The first of two strategies used by the `system_prefix()` function
on Windows is an optimization that looks for `clangarm64`,
`mingw64`, or `mingw32` subdirectories of a directory whose path is
given by the value of the `EXEPATH` environment variable. If
`EXEPATH` is absent, can't be interpreted as a path, or can be
interpreted as a path but does not point to a directory that can be
verified to contain such a subdirectory, then this optimization was
already being skipped and the more reliable but sometimes slower
`git --exec-path`-based method used.

However, when `EXEPATH` contains a relative path, including in the
case where it is an empty string (which could be set by accident or
if it is being used with some meaning other than what we and Git
for Windows recognize), then it was still used, even though that
would not usually be correct and would sometimes not be safe.

Although an attacker is not expected to be able to control the
value of `EXEPATH` (nor most environment variables), a value such
as an empty string would cause `clangarm64`, `mingw64`, and
`mingw32` subdirectories of the current directory to be used.

A user might intentionally set `EXEPATH` to a relative path to
leverage the `EXEPATH` optimization of `system_prefix()` with that
path. But `EXEPATH` is a short variable name with many plausible
meanings that is not named with a distinctive prefix such `GIT_` or
`GIX_`. So it would not be a good tradeoff to continue recognizing
it for `system_prefix()` anytime it is non-absoliute.

Thus, as a stability fix and possible security enhancement, this
adds a check that the value of `EXEPATH` is an absolute path before
proceeding with the `EXEPATH` optimization.
diff --git a/gix-path/src/env/mod.rs b/gix-path/src/env/mod.rs
@@ -154,7 +154,8 @@ fn system_prefix_from_exepath_var<F>(var_os_func: F) -> Option<PathBuf>
 where
     F: Fn(&str) -> Option<OsString>,
 {
-    let root = PathBuf::from(var_os_func("EXEPATH")?);
+    // Only attempt this optimization if the `EXEPATH` variable is set to an absolute path.
+    let root = var_os_func("EXEPATH").map(PathBuf::from).filter(|r| r.is_absolute())?;
 
     let mut candidates = ["clangarm64", "mingw64", "mingw32"]
         .iter()

Original file line number	Diff line number	Diff line change
`@@ -154,7 +154,8 @@ fn system_prefix_from_exepath_var<F>(var_os_func: F) -> Option<PathBuf>`
`154`	`154`	`where`
`155`	`155`	`F: Fn(&str) -> Option<OsString>,`
`156`	`156`	`{`
`157`		`- let root = PathBuf::from(var_os_func("EXEPATH")?);`
	`157`	+ // Only attempt this optimization if the `EXEPATH` variable is set to an absolute path.
	`158`	`+ let root = var_os_func("EXEPATH").map(PathBuf::from).filter(\|r\| r.is_absolute())?;`
`158`	`159`
`159`	`160`	`let mut candidates = ["clangarm64", "mingw64", "mingw32"]`
`160`	`161`	`.iter()`