Cabal deletes project source files during configure
The checkDuplicateHeaders function in
Distribution.Simple.Configure removes header files from the
source directory when a header with the same name exists in both the
build directory and the source directory.
This behavior was introduced in commit 3a9830b to
resolve header precedence issues, as C compilers prefer relative
includes over -I search paths. The workaround uses
removeFile on source directory files, which is destructive
and should not happen during a build process.
While the current implementation does not follow symlinks explicitly, the deletion of source files outside of the project during a build operation is possible on Microsoft Windows.
Info
- Published
- April 08, 2026
- Modified
- April 08, 2026
- CAPECs
- < none >
- CWEs
- 73
- Keywords
- cabal, file-deletion, configure
- Aliases
- < none >
- Related
- < none >
- References
- [REPORT] https://github.com/haskell/cabal/issues/11176
- [INTRODUCED] https://github.com/haskell/cabal/commit/3a9830bbdabef2f1009a69957966b778c7c1a9ee
Affected
@hackage/Cabal
- CVSS
- CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
- Versions
>=2.2- Declarations
- < none >