From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:470:142:3::10]:50948) by lists.gnu.org with esmtp (Exim 4.86_2) (envelope-from ) id 1ho3Bp-0005Dh-3W for guix-patches@gnu.org; Thu, 18 Jul 2019 05:59:06 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ho3Bo-0002uL-5C for guix-patches@gnu.org; Thu, 18 Jul 2019 05:59:05 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:44643) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1ho3Bo-0002uE-29 for guix-patches@gnu.org; Thu, 18 Jul 2019 05:59:04 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1ho3Bl-000808-TD for guix-patches@gnu.org; Thu, 18 Jul 2019 05:59:01 -0400 Subject: [bug#36699] [PATCH 4/4] channels: Reject directories with '..' in '.guix-channel' file. Resent-Message-ID: Date: Thu, 18 Jul 2019 11:58:41 +0200 From: Danny Milosavljevic Message-ID: <20190718115841.4660810e@scratchpost.org> In-Reply-To: <87blxteexo.fsf@gnu.org> References: <20190716232433.16789-1-ludo@gnu.org> <20190716232433.16789-4-ludo@gnu.org> <87blxteexo.fsf@gnu.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; boundary="Sig_/MGOSEpI4f6EAaGvk3JgQtdu"; protocol="application/pgp-signature" List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 36699@debbugs.gnu.org --Sig_/MGOSEpI4f6EAaGvk3JgQtdu Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hi Ludo, On Wed, 17 Jul 2019 01:29:39 +0200 Ludovic Court=C3=A8s wrote: > Ludovic Court=C3=A8s skribis: >=20 > > + (define (sane-directory directory) > > + ;; If DIRECTORY contains '..', raise an error; otherwise return it. > > + (when (member ".." (string-split directory #\/)) > > + (raise (condition > > + (&message (message "channel sub-directory must not conta= in '..'")) > > + (&error-location (location location))))) > > + directory) =20 >=20 > On second thought, it=E2=80=99s probably kind of useless since the only p= lace > where =E2=80=98directory=E2=80=99 is used is in the derivation that build= s the channel, > which is normally running in a chroot: >=20 > (let* ((subdir #$directory) > (source (string-append #$source subdir))) > (compile-files source go (find-files source "\\.scm$")) > (mkdir-p (dirname scm)) > (symlink (string-append #$source subdir) scm)) >=20 > So I guess we can drop this patch. Thoughts? I generally don't like weird name matching like this. The Linux VFS can do arbitrary things (which would complicate the situation) to the name tree. Even now, a symlink "x" to ".." would work and not be caught. To say nothi= ng of what a custom file system could do. Why single out this one way? It gives the illusion of security. Containers are better indeed. Except when the match is not for security but only for usability, then I'm fine with it (and then it should be a warning - who knows, maybe ".." means "current directory" in WeirdFS :->). --Sig_/MGOSEpI4f6EAaGvk3JgQtdu Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEds7GsXJ0tGXALbPZ5xo1VCwwuqUFAl0wQtEACgkQ5xo1VCww uqWg0QgAhVfIyJlqI4znAGOP/qL1WPq+YD2w7ovjbj/PkwxT8Uf/msQmfakk+GI1 PvTZU/B0IlR1QIkn6ZUbumRSuCBXTw8oWX2VBjEUKSGHDWrrTWeYQiGGSa2tgtrQ KiDeoDg+nvi6aLTvdk96rnKd8cZvXT40AyFo9L04lUuZm2sXgl+0k9uOk7SJVFcK KL+5N/St1fbz/PLmrgHRTtBuOb3VZ3vnOUdqJgq22LB1a3kchlj/SkK6MTQfM7Ru LQ917d9erzeDavj88XVX8foUh6kjZozwpGFieKERSVD1Z7mcSJeqSZKKT9Y62mGT L6yEbw7sJAaHQTauKb755G+sra5yGQ== =mgSM -----END PGP SIGNATURE----- --Sig_/MGOSEpI4f6EAaGvk3JgQtdu--