From 812e027e1d5a4f83394069edd67bdf8404ffa2bb Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <edolstra@gmail.com>
Date: Mon, 30 Oct 2017 12:39:59 +0100
Subject: Add option allowed-uris

This allows network access in restricted eval mode.
---
 src/libexpr/primops/fetchgit.cc | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

(limited to 'src/libexpr/primops/fetchgit.cc')

diff --git a/src/libexpr/primops/fetchgit.cc b/src/libexpr/primops/fetchgit.cc
index 38bffd8dbdbc..81b641900593 100644
--- a/src/libexpr/primops/fetchgit.cc
+++ b/src/libexpr/primops/fetchgit.cc
@@ -113,9 +113,6 @@ GitInfo exportGit(ref<Store> store, const std::string & uri,
 
 static void prim_fetchGit(EvalState & state, const Pos & pos, Value * * args, Value & v)
 {
-    // FIXME: cut&paste from fetch().
-    if (state.restricted) throw Error("'fetchGit' is not allowed in restricted mode");
-
     std::string url;
     std::string ref = "master";
     std::string rev;
@@ -150,6 +147,10 @@ static void prim_fetchGit(EvalState & state, const Pos & pos, Value * * args, Va
     } else
         url = state.forceStringNoCtx(*args[0], pos);
 
+    // FIXME: git externals probably can be used to bypass the URI
+    // whitelist. Ah well.
+    state.checkURI(url);
+
     auto gitInfo = exportGit(state.store, url, ref, rev, name);
 
     state.mkAttrs(v, 8);
-- 
cgit 1.4.1