forked from lix-project/lix
Fix security hole in ‘nix-store --serve’
Since it didn't check that the path received from the client is a store path, the client could dump any path in the file system.
This commit is contained in:
parent
66dbc0fdee
commit
2c3a8f787b
|
@ -923,7 +923,7 @@ static void opServe(Strings opFlags, Strings opArgs)
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
case cmdSubstitute:
|
case cmdSubstitute:
|
||||||
dumpPath(readString(in), out);
|
dumpPath(readStorePath(in), out);
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
throw Error(format("unknown serve command `%1%'") % cmd);
|
throw Error(format("unknown serve command `%1%'") % cmd);
|
||||||
|
|
Loading…
Reference in a new issue