From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:470:142:3::10]:38811) by lists.gnu.org with esmtp (Exim 4.86_2) (envelope-from ) id 1ho6iV-0008C0-Ft for guix-patches@gnu.org; Thu, 18 Jul 2019 09:45:04 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ho6iU-0001KG-E9 for guix-patches@gnu.org; Thu, 18 Jul 2019 09:45:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:44813) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1ho6iU-0001K8-Ad for guix-patches@gnu.org; Thu, 18 Jul 2019 09:45:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1ho6iU-0000yV-2q for guix-patches@gnu.org; Thu, 18 Jul 2019 09:45:02 -0400 Subject: [bug#36699] [PATCH 4/4] channels: Reject directories with '..' in '.guix-channel' file. Resent-Message-ID: From: Ludovic =?UTF-8?Q?Court=C3=A8s?= References: <20190716232433.16789-1-ludo@gnu.org> <20190716232433.16789-4-ludo@gnu.org> <87blxteexo.fsf@gnu.org> <20190718115841.4660810e@scratchpost.org> Date: Thu, 18 Jul 2019 15:44:36 +0200 In-Reply-To: <20190718115841.4660810e@scratchpost.org> (Danny Milosavljevic's message of "Thu, 18 Jul 2019 11:58:41 +0200") Message-ID: <875znzfoe3.fsf@gnu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: Danny Milosavljevic Cc: 36699@debbugs.gnu.org Hi, Danny Milosavljevic skribis: > On Wed, 17 Jul 2019 01:29:39 +0200 > Ludovic Court=C3=A8s wrote: > >> Ludovic Court=C3=A8s skribis: >>=20 >> > + (define (sane-directory directory) >> > + ;; If DIRECTORY contains '..', raise an error; otherwise return i= t. >> > + (when (member ".." (string-split directory #\/)) >> > + (raise (condition >> > + (&message (message "channel sub-directory must not cont= ain '..'")) >> > + (&error-location (location location))))) >> > + directory)=20=20 >>=20 >> On second thought, it=E2=80=99s probably kind of useless since the only = place >> where =E2=80=98directory=E2=80=99 is used is in the derivation that buil= ds the channel, >> which is normally running in a chroot: >>=20 >> (let* ((subdir #$directory) >> (source (string-append #$source subdir))) >> (compile-files source go (find-files source "\\.scm$")) >> (mkdir-p (dirname scm)) >> (symlink (string-append #$source subdir) scm)) >>=20 >> So I guess we can drop this patch. Thoughts? > > I generally don't like weird name matching like this. The Linux VFS can = do > arbitrary things (which would complicate the situation) to the name tree. > Even now, a symlink "x" to ".." would work and not be caught. To say not= hing > of what a custom file system could do. > > Why single out this one way? It gives the illusion of security. > > Containers are better indeed. Yes, and since that=E2=80=99s what we have, we can forget about this patch. I definitely agree with everything you wrote; it=E2=80=99s just that the ke= rnel Linux being what it is, one sometimes have to resort to hacks like this. Fortunately, that was misguided here, so let=E2=80=99s forget about this. = :-) Ludo=E2=80=99.