Prevent an injection attack in passing untrusted options to substituters

author: Eelco Dolstra <eelco.dolstra@logicblox.com> 2012-07-31T22·50-0400
committer: Eelco Dolstra <eelco.dolstra@logicblox.com> 2012-07-31T22·50-0400
commit: eb7849e3a281511a59abf72ae5c3133f903bbaab (patch)
tree: 27e091b609c38c7252d86961ed9564ca5d180f37 /src
parent: 90d9c58d4dabb370849cd523fb9ee471e8140b76 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/src/libstore/globals.cc b/src/libstore/globals.cc
index bfb40a07a237..c75ebdd0e36b 100644
--- a/src/libstore/globals.cc
+++ b/src/libstore/globals.cc
@@ -188,6 +188,10 @@ string Settings::pack()
 {
     string s;
     foreach (SettingsMap::iterator, i, settings) {
+        if (i->first.find('\n') != string::npos ||
+            i->first.find('=') != string::npos ||
+            i->second.find('\n') != string::npos)
+            throw Error("illegal option name/value");
         s += i->first; s += '='; s += i->second; s += '\n';
     }
     return s;
author	Eelco Dolstra <eelco.dolstra@logicblox.com>	2012-07-31T22·50-0400
committer	Eelco Dolstra <eelco.dolstra@logicblox.com>	2012-07-31T22·50-0400
commit	eb7849e3a281511a59abf72ae5c3133f903bbaab (patch)
tree	27e091b609c38c7252d86961ed9564ca5d180f37 /src
parent	90d9c58d4dabb370849cd523fb9ee471e8140b76 (diff)