From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:470:142:3::10]:58745)
 by lists.gnu.org with esmtp (Exim 4.86_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1hnWkq-0005IY-Pn
 for guix-patches@gnu.org; Tue, 16 Jul 2019 19:21:05 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1hnWkp-0008UY-Rx
 for guix-patches@gnu.org; Tue, 16 Jul 2019 19:21:04 -0400
Received: from debbugs.gnu.org ([209.51.188.43]:42470)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
 (Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1hnWkp-0008US-Oy
 for guix-patches@gnu.org; Tue, 16 Jul 2019 19:21:03 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1hnWkp-0003Nx-JA
 for guix-patches@gnu.org; Tue, 16 Jul 2019 19:21:03 -0400
Subject: [bug#36699] [PATCH 0/4] Strengthen '.guix-channel' file handling
Resent-Message-ID: <handler.36699.B.156331923012951@debbugs.gnu.org>
Received: from eggs.gnu.org ([2001:470:142:3::10]:58539)
 by lists.gnu.org with esmtp (Exim 4.86_2)
 (envelope-from <ludo@gnu.org>) id 1hnWkD-0005Ez-1S
 for guix-patches@gnu.org; Tue, 16 Jul 2019 19:20:25 -0400
From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@gnu.org>
Date: Wed, 17 Jul 2019 01:20:16 +0200
Message-Id: <20190716232016.16559-1-ludo@gnu.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-patches>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org
Sender: "Guix-patches" <guix-patches-bounces+kyle=kyleam.com@gnu.org>
To: 36699@debbugs.gnu.org

Hello Guix,

These patches change ‘.guix-channel’ parsing and handling following
the same pattern as <manifest>/read-manifest/profile-manifest and
other places where we deal with serialized data structures.

The last patch addresses a potential security issue with the
‘directory’ field of ‘.guix-channel’ that hadn’t occurred to me
while reviewing it.

Thoughts?

Ludo’.

Ludovic Courtès (4):
  channels: Strictly check the version of '.guix-channel'.
  channels: Remove unneeded 'version' field of <channel-metadata>.
  channels: Always provide a <channel-metadata> record.
  channels: Reject directories with '..' in '.guix-channel' file.

 guix/channels.scm  | 102 +++++++++++++++++++++++++++++----------------
 tests/channels.scm |  81 +++++++++++++++++++++++++----------
 2 files changed, 124 insertions(+), 59 deletions(-)

-- 
2.22.0