diff options
-rw-r--r-- | blacklisting/blacklist.xml | 52 | ||||
-rwxr-xr-x | blacklisting/check-env.pl | 76 |
2 files changed, 87 insertions, 41 deletions
diff --git a/blacklisting/blacklist.xml b/blacklisting/blacklist.xml index 0ae2b21d2c5b..aec9113262a4 100644 --- a/blacklisting/blacklist.xml +++ b/blacklisting/blacklist.xml @@ -1,6 +1,7 @@ <blacklist> - + +<!-- <item id='openssl-0.9.7d-obsolete'> <condition> <containsSource @@ -12,29 +13,20 @@ </reason> <severity class="all" level="low" /> </item> +--> -<item id='zlib-1.2.1-security'> +<item id='zlib-1.2.1-security' type='security'> <condition> <containsSource - hash="sha256:0yp7z8ask4b8m2ia253apnnxdk0z0zrs70yr079m2rjd4297chgv" - origin="zlib-1.2.1.tar.gz" /> -<!-- - <or> - <and> - <containsSource - hash="sha256:0yp7z8ask4b8m2ia253apnnxdk0z0zrs70yr079m2rjd4297chgv" - origin="zlib-1.2.1.tar.gz" /> - <not> - <containsSource - hash="..." - origin="zlib-1.2.1-dos.patch" /> - </not> - </and> - <containsOutput - name="/nix/store/gxbdsvlwz6ixin94jhdw7rwdbb5mxxq3-zlib-1.2.1" /> - </or> - --> + hash="sha256:1xf1749gdfw9f50mxa5rsnmwiwrb5mi0kg4siw8a73jykdp2i6ii" + origin="openssl-0.9.7d.tar.gz" /> +<!-- <within> + <traverse> + <not><hasName name='*.tar.*' /></not> + </traverse> + <hasAttr name='md5' value='ef1cb003448b4a53517b8f25adb12452' /> + </within> --> </condition> <reason> Zlib 1.2.1 is vulnerable to a denial-of-service condition. See @@ -45,6 +37,7 @@ </item> +<!-- <item id='libpng-1.2.7-crash'> <condition> <containsName name="libpng" comparison="lte" version="1.2.7" /> @@ -55,6 +48,25 @@ </reason> <severity class="client" level="low" /> </item> +--> + + +<!-- +<item id='subversion-without-zlib' type='improvement'> + + <condition> + <withinOutputClosure> + <not> + <containsName name='zlib' /> + </not> + </withinOutputClosure> + </condition> + <reason> + Subversion can be compiled with Zlib compression support, which is a good thing. + </reason> + +</item> +--> </blacklist> diff --git a/blacklisting/check-env.pl b/blacklisting/check-env.pl index f73ad558b86a..f334ef04cb1e 100755 --- a/blacklisting/check-env.pl +++ b/blacklisting/check-env.pl @@ -1,7 +1,8 @@ -#! /usr/bin/perl -w +#! /usr/bin/perl -w -I /home/eelco/.nix-profile/lib/site_perl use strict; -use XML::Simple; +use XML::LibXML; +#use XML::Simple; my $blacklistFN = shift @ARGV; die unless defined $blacklistFN; @@ -10,10 +11,10 @@ die unless defined $userEnv; # Read the blacklist. -my $blacklist = XMLin($blacklistFN, - forcearray => [qw()], - keyattr => ['id'], - suppressempty => ''); +my $parser = XML::LibXML->new(); +my $blacklist = $parser->parse_file($blacklistFN)->getDocumentElement; + +#print $blacklist->toString() , "\n"; # Get all the elements of the user environment. @@ -30,10 +31,10 @@ sub evalCondition { my $storePaths = shift; my $condition = shift; - if (defined $condition->{'containsSource'}) { - my $c = $condition->{'containsSource'}; - my $hash = $c->{'hash'}; - + my $name = $condition->getName; + + if ($name eq "containsSource") { + my $hash = $condition->attributes->getNamedItem("hash")->getValue; foreach my $path (keys %{$storePathHashes{$hash}}) { # !!! use a hash for $storePaths foreach my $path2 (@{$storePaths}) { @@ -42,8 +43,43 @@ sub evalCondition { } return 0; } + + elsif ($name eq "and") { + my $result = 1; + foreach my $node ($condition->getChildNodes) { + if ($node->nodeType == XML_ELEMENT_NODE) { + $result &= evalCondition($storePaths, $node); + } + } + return $result; + } + + elsif ($name eq "true") { + return 1; + } + + elsif ($name eq "false") { + return 0; + } + + else { + die "unknown element `$name'"; + } +} + + +sub evalOr { + my $storePaths = shift; + my $nodes = shift; + + my $result = 0; + foreach my $node (@{$nodes}) { + if ($node->nodeType == XML_ELEMENT_NODE) { + $result |= evalCondition($storePaths, $node); + } + } - return 0; + return $result; } @@ -83,20 +119,18 @@ foreach my $userEnvElem (@userEnvElems) { # Evaluate each blacklist item. - foreach my $itemId (sort (keys %{$blacklist->{'item'}})) { -# print " CHECKING FOR $itemId\n"; + foreach my $item ($blacklist->getChildrenByTagName("item")) { + my $itemId = $item->getAttributeNode("id")->getValue; + print " CHECKING FOR $itemId\n"; - my $item = $blacklist->{'item'}->{$itemId}; - die unless defined $item; - - my $condition = $item->{'condition'}; - die unless defined $condition; + my $condition = ($item->getChildrenByTagName("condition"))[0]; + die unless $condition; # Evaluate the condition. - if (evalCondition(\@requisites, $condition)) { - + my @foo = $condition->getChildNodes(); + if (evalOr(\@requisites, \@foo)) { # Oops, condition triggered. - my $reason = $item->{'reason'}; + my $reason = ($item->getChildrenByTagName("reason"))[0]->getChildNodes->to_literal; $reason =~ s/\s+/ /g; $reason =~ s/^\s+//g; |