Skip to content

brew.sh: enforce HOMEBREW_FORCE_BREW_WRAPPER more strictly #20400

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

brew.sh: enforce HOMEBREW_FORCE_BREW_WRAPPER more strictly #20400

wants to merge 1 commit into from
+51 −37

Conversation

carlocab
Copy link
Member

@carlocab carlocab commented Aug 8, 2025

  • Have you followed the guidelines in our Contributing document?
  • Have you checked to ensure there aren't other open Pull Requests for the same change?
  • Have you added an explanation of what your changes do and why you'd like us to include them?
  • Have you written new tests for your changes? Here's an example.
  • Have you successfully run brew style with your changes locally?
  • Have you successfully run brew typecheck with your changes locally?
  • Have you successfully run brew tests with your changes locally?

HOMEBREW_FORCE_BREW_WRAPPER can be used as a security/compliance
feature, but allowing it to be disabled by setting
HOMEBREW_NO_FORCE_BREW_WRAPPER leaves a pretty large hole in it that
allows it to be sidestepped.

Let's fix that by actually checking the path of the process that called
brew, and the verify that that path matches the configured value of
HOMEBREW_NO_FORCE_BREW_WRAPPER.

@carlocab
brew.sh: enforce HOMEBREW_FORCE_BREW_WRAPPER more strictly
a7c124c 
`HOMEBREW_FORCE_BREW_WRAPPER` can be used as a security/compliance
feature, but allowing it to be disabled by setting
`HOMEBREW_NO_FORCE_BREW_WRAPPER` leaves a pretty large hole in it that
allows it to be sidestepped.

Let's fix that by actually checking the path of the process that called
`brew`, and the verify that that path matches the configured value of
`HOMEBREW_NO_FORCE_BREW_WRAPPER`.
@carlocab carlocab requested a review from Bo98 August 8, 2025 19:23
@carlocab carlocab self-assigned this Aug 8, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Bo98 Bo98 Awaiting requested review from Bo98

At least 1 approving review is required to merge this pull request.

Assignees

@carlocab carlocab

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@carlocab