Security: Also check paths in the web server

[?]
Feb 13, 2013, 5:34 PM
7UHHF564BOGHA2CP4OZA3BEPUUTY5S3SS53A32F7RHEVSIDEVWRAC

Dependencies

  • [2] PMNWRTGJ Add multiple output support
  • [3] 5NO7NCKT * Refactoring.
  • [4] OD5FSS5A * Quick hack to allow viewing of dependency graphs (via nix-store -q
  • [5] LBNVQXUB * Build the /build stuff in a separate controller.
  • [6] MAOFG2TD * Allow omitting the product number if there is only one product in a
  • [*] 7DWCXNC7 Use the new Nix Perl bindings
  • [*] VYGMJ33O * Catalyst now escapes slashes to %2f, which broke defaultUriForProduct.
  • [*] XJFHFZCA * Provide some redirects to build products by type so that we can for
  • [*] NUIKDEHL * A quick hack to list the contents of various types of files (RPM,
  • [*] GJFYEU3S * Nix now stores logs by default as bzip2, make sure the build page uncompresses before showing.

Change contents

  • edit in src/lib/Hydra/Controller/Build.pm at line 13
    [8.31]
    [2.1578]
    use Nix::Config;
  • edit in src/lib/Hydra/Controller/Build.pm at line 170
    [9.99]
    [10.609]
    }
    sub checkPath {
    my ($self, $c, $path) = @_;
    my $storeDir = $Nix::Config::storeDir . "/";
    error($c, "Invalid path in build product.")
    if substr($path, 0, length($storeDir)) ne $storeDir || $path =~ /\/\.\./;
  • replacement in src/lib/Hydra/Controller/Build.pm at line 189
    [3.2573][3.62:156]()
    notFound($c, "Product " . $product->path . " has disappeared.") unless -e $product->path;
    [3.2573]
    [3.2671]
    notFound($c, "Build product " . $product->path . " has disappeared.") unless -e $product->path;
  • edit in src/lib/Hydra/Controller/Build.pm at line 205
    [3.2908]
    [3.2908]
    # Make sure the file is in the Nix store.
    checkPath($self, $c, $path);
  • edit in src/lib/Hydra/Controller/Build.pm at line 250
    [11.482]
    [12.601]
    checkPath($self, $c, $path);