diff options
author | Eelco Dolstra <edolstra@gmail.com> | 2018-02-06T13·35+0100 |
---|---|---|
committer | Eelco Dolstra <edolstra@gmail.com> | 2018-02-06T13·35+0100 |
commit | f24e726ba53e23235d33d8bdc7877ad3a8632fde (patch) | |
tree | 8de87189e59a062998164e9a3258df60e7117360 /src/libexpr/eval.cc | |
parent | f539085e651b133f023e8d02a8036124ac47d36c (diff) |
checkURI(): Check file URIs against allowedPaths
This makes e.g. 'fetchGit ./.' work (assuming that ./. is an allowed path).
Diffstat (limited to 'src/libexpr/eval.cc')
-rw-r--r-- | src/libexpr/eval.cc | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/src/libexpr/eval.cc b/src/libexpr/eval.cc index 33a9bc614285..7775cbe53cc4 100644 --- a/src/libexpr/eval.cc +++ b/src/libexpr/eval.cc @@ -378,6 +378,18 @@ void EvalState::checkURI(const std::string & uri) && (prefix[prefix.size() - 1] == '/' || uri[prefix.size()] == '/'))) return; + /* If the URI is a path, then check it against allowedPaths as + well. */ + if (hasPrefix(uri, "/")) { + checkSourcePath(uri); + return; + } + + if (hasPrefix(uri, "file://")) { + checkSourcePath(std::string(uri, 7)); + return; + } + throw RestrictedPathError("access to URI '%s' is forbidden in restricted mode", uri); } |