about summary refs log tree commit diff
path: root/src/libexpr/primops
diff options
context:
space:
mode:
authorEelco Dolstra <edolstra@gmail.com>2017-10-30T11·39+0100
committerEelco Dolstra <edolstra@gmail.com>2017-10-30T11·41+0100
commit812e027e1d5a4f83394069edd67bdf8404ffa2bb (patch)
treefe11aee398ea3ddfa0a8117c566e2ed1c6435883 /src/libexpr/primops
parentf1c555cef870654cdaf232b5d08fdbba0bf06add (diff)
Add option allowed-uris
This allows network access in restricted eval mode.
Diffstat (limited to 'src/libexpr/primops')
-rw-r--r--src/libexpr/primops/fetchgit.cc7
1 files changed, 4 insertions, 3 deletions
diff --git a/src/libexpr/primops/fetchgit.cc b/src/libexpr/primops/fetchgit.cc
index 38bffd8dbdbc..81b641900593 100644
--- a/src/libexpr/primops/fetchgit.cc
+++ b/src/libexpr/primops/fetchgit.cc
@@ -113,9 +113,6 @@ GitInfo exportGit(ref<Store> store, const std::string & uri,
 
 static void prim_fetchGit(EvalState & state, const Pos & pos, Value * * args, Value & v)
 {
-    // FIXME: cut&paste from fetch().
-    if (state.restricted) throw Error("'fetchGit' is not allowed in restricted mode");
-
     std::string url;
     std::string ref = "master";
     std::string rev;
@@ -150,6 +147,10 @@ static void prim_fetchGit(EvalState & state, const Pos & pos, Value * * args, Va
     } else
         url = state.forceStringNoCtx(*args[0], pos);
 
+    // FIXME: git externals probably can be used to bypass the URI
+    // whitelist. Ah well.
+    state.checkURI(url);
+
     auto gitInfo = exportGit(state.store, url, ref, rev, name);
 
     state.mkAttrs(v, 8);