about summary refs log tree commit diff
path: root/src/libstore
diff options
context:
space:
mode:
authorEelco Dolstra <eelco.dolstra@logicblox.com>2012-07-31T22·50-0400
committerEelco Dolstra <eelco.dolstra@logicblox.com>2012-07-31T22·50-0400
commiteb7849e3a281511a59abf72ae5c3133f903bbaab (patch)
tree27e091b609c38c7252d86961ed9564ca5d180f37 /src/libstore
parent90d9c58d4dabb370849cd523fb9ee471e8140b76 (diff)
Prevent an injection attack in passing untrusted options to substituters
Diffstat (limited to 'src/libstore')
-rw-r--r--src/libstore/globals.cc4
1 files changed, 4 insertions, 0 deletions
diff --git a/src/libstore/globals.cc b/src/libstore/globals.cc
index bfb40a07a237..c75ebdd0e36b 100644
--- a/src/libstore/globals.cc
+++ b/src/libstore/globals.cc
@@ -188,6 +188,10 @@ string Settings::pack()
 {
     string s;
     foreach (SettingsMap::iterator, i, settings) {
+        if (i->first.find('\n') != string::npos ||
+            i->first.find('=') != string::npos ||
+            i->second.find('\n') != string::npos)
+            throw Error("illegal option name/value");
         s += i->first; s += '='; s += i->second; s += '\n';
     }
     return s;