From: Danny Milosavljevic <dannym@scratchpost.org>
To: "Ludovic Courtès" <ludo@gnu.org>
Cc: 36699@debbugs.gnu.org
Subject: [bug#36699] [PATCH 4/4] channels: Reject directories with '..' in '.guix-channel' file.
Date: Thu, 18 Jul 2019 11:58:41 +0200 [thread overview]
Message-ID: <20190718115841.4660810e@scratchpost.org> (raw)
In-Reply-To: <87blxteexo.fsf@gnu.org>
[-- Attachment #1: Type: text/plain, Size: 1578 bytes --]
Hi Ludo,
On Wed, 17 Jul 2019 01:29:39 +0200
Ludovic Courtès <ludo@gnu.org> wrote:
> Ludovic Courtès <ludo@gnu.org> skribis:
>
> > + (define (sane-directory directory)
> > + ;; If DIRECTORY contains '..', raise an error; otherwise return it.
> > + (when (member ".." (string-split directory #\/))
> > + (raise (condition
> > + (&message (message "channel sub-directory must not contain '..'"))
> > + (&error-location (location location)))))
> > + directory)
>
> On second thought, it’s probably kind of useless since the only place
> where ‘directory’ is used is in the derivation that builds the channel,
> which is normally running in a chroot:
>
> (let* ((subdir #$directory)
> (source (string-append #$source subdir)))
> (compile-files source go (find-files source "\\.scm$"))
> (mkdir-p (dirname scm))
> (symlink (string-append #$source subdir) scm))
>
> So I guess we can drop this patch. Thoughts?
I generally don't like weird name matching like this. The Linux VFS can do
arbitrary things (which would complicate the situation) to the name tree.
Even now, a symlink "x" to ".." would work and not be caught. To say nothing
of what a custom file system could do.
Why single out this one way? It gives the illusion of security.
Containers are better indeed.
Except when the match is not for security but only for usability, then I'm
fine with it (and then it should be a warning - who knows, maybe ".." means
"current directory" in WeirdFS :->).
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
next prev parent reply other threads:[~2019-07-18 9:59 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-16 23:20 [bug#36699] [PATCH 0/4] Strengthen '.guix-channel' file handling Ludovic Courtès
2019-07-16 23:24 ` [bug#36699] [PATCH 1/4] channels: Strictly check the version of '.guix-channel' Ludovic Courtès
2019-07-16 23:24 ` [bug#36699] [PATCH 2/4] channels: Remove unneeded 'version' field of <channel-metadata> Ludovic Courtès
2019-07-16 23:24 ` [bug#36699] [PATCH 3/4] channels: Always provide a <channel-metadata> record Ludovic Courtès
2019-07-16 23:24 ` [bug#36699] [PATCH 4/4] channels: Reject directories with '..' in '.guix-channel' file Ludovic Courtès
2019-07-16 23:29 ` Ludovic Courtès
2019-07-18 9:58 ` Danny Milosavljevic [this message]
2019-07-18 13:44 ` Ludovic Courtès
2019-07-19 9:54 ` bug#36699: [PATCH 0/4] Strengthen '.guix-channel' file handling Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190718115841.4660810e@scratchpost.org \
--to=dannym@scratchpost.org \
--cc=36699@debbugs.gnu.org \
--cc=ludo@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).