From 100961e370db16979267b56acf73dd4523be9cd2 Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <eelco.dolstra@logicblox.com>
Date: Tue, 13 Jan 2015 11:16:32 +0100
Subject: Don't resolve symlinks while checking __impureHostDeps

Since these come from untrusted users, we shouldn't do any I/O on them
before we've checked that they're in an allowed prefix.
---
 src/libstore/build.cc | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

(limited to 'src/libstore')

diff --git a/src/libstore/build.cc b/src/libstore/build.cc
index 2bd0d2030689..280fd6f6e821 100644
--- a/src/libstore/build.cc
+++ b/src/libstore/build.cc
@@ -1784,10 +1784,13 @@ void DerivationGoal::startBuilder()
 
         for (auto & i : impurePaths) {
             bool found = false;
-            Path canonI = canonPath(i, true);
+            /* Note: we're not resolving symlinks here to prevent
+               giving a non-root user info about inaccessible
+               files. */
+            Path canonI = canonPath(i);
             /* If only we had a trie to do this more efficiently :) luckily, these are generally going to be pretty small */
             for (auto & a : allowedPaths) {
-                Path canonA = canonPath(a, true);
+                Path canonA = canonPath(a);
                 if (canonI == canonA || isInDir(canonI, canonA)) {
                     found = true;
                     break;
-- 
cgit 1.4.1