From 4e58294ae62075fae1a2e82e1f62f627c2a0bd80 Mon Sep 17 00:00:00 2001 From: Shea Levy Date: Mon, 16 Oct 2017 12:56:58 -0400 Subject: fetchgit: Remove incomplete/unneeded isURI check. This check spuriously fails for e.g. git@github.com:NixOS/nixpkgs.git, and even for ssh://git@github.com/NixOS/nixpkgs.git, and is made redundant by the checks git itself will do when fetching the repo. We instead pass a -- before passing the URI to git to avoid injection. --- src/libexpr/primops/fetchgit.cc | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/src/libexpr/primops/fetchgit.cc b/src/libexpr/primops/fetchgit.cc index e16c8235378d..545954f58430 100644 --- a/src/libexpr/primops/fetchgit.cc +++ b/src/libexpr/primops/fetchgit.cc @@ -13,9 +13,6 @@ namespace nix { Path exportGit(ref store, const std::string & uri, const std::string & ref, const std::string & rev) { - if (!isUri(uri)) - throw EvalError(format("'%s' is not a valid URI") % uri); - if (rev != "") { std::regex revRegex("^[0-9a-fA-F]{40}$"); if (!std::regex_match(rev, revRegex)) @@ -47,7 +44,7 @@ Path exportGit(ref store, const std::string & uri, if (stat(localRefFile.c_str(), &st) != 0 || st.st_mtime < now - settings.tarballTtl) { - runProgram("git", true, { "-C", cacheDir, "fetch", "--force", uri, ref + ":" + localRef }); + runProgram("git", true, { "-C", cacheDir, "fetch", "--force", "--", uri, ref + ":" + localRef }); struct timeval times[2]; times[0].tv_sec = now; -- cgit 1.4.1