From aa7ddeb8e95126e9103dbcc42f19a65c5900cc04 Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <eelco.dolstra@logicblox.com>
Date: Sat, 23 Feb 2013 16:07:30 +0100
Subject: [PATCH] Use hashFile instead of nix-hash

Calling a shell command is a security hole if $path contains special
characters (e.g. "${foo}").  Observed in
http://hydra.nixos.org/build/4041321.
---
 src/lib/Hydra/Helper/AddBuilds.pm | 10 ++--------
 1 file changed, 2 insertions(+), 8 deletions(-)

diff --git a/src/lib/Hydra/Helper/AddBuilds.pm b/src/lib/Hydra/Helper/AddBuilds.pm
index 63a6d7a0..6c108574 100644
--- a/src/lib/Hydra/Helper/AddBuilds.pm
+++ b/src/lib/Hydra/Helper/AddBuilds.pm
@@ -801,14 +801,8 @@ sub addBuildProducts {
                 if (-f $path) {
                     my $st = stat($path) or die "cannot stat $path: $!";
                     $fileSize = $st->size;
-
-                    $sha1 = `nix-hash --flat --type sha1 $path`
-                        or die "cannot hash $path: $?";;
-                    chomp $sha1;
-
-                    $sha256 = `nix-hash --flat --type sha256 $path`
-                        or die "cannot hash $path: $?";;
-                    chomp $sha256;
+                    $sha1 = hashFile("sha1", 0, $path);
+                    $sha256 = hashFile("sha256", 0, $path);
                 }
 
                 my $name = $path eq $outPath ? "" : basename $path;