forked from lix-project/lix
43e28a1b75
In EvalState::checkSourcePath, the path is checked against the list of allowed paths first and later it's checked again *after* resolving symlinks. The resolving of the symlinks is done via canonPath, which also strips out "../" and "./". However after the canonicalisation the error message pointing out that the path is not allowed prints the symlink target in the error message. Even if we'd suppress the message, symlink targets could still be leaked if the symlink target doesn't exist (in this case the error is thrown in canonPath). So instead, we now do canonPath() without symlink resolving first before even checking against the list of allowed paths and then later do the symlink resolving and checking the allowed paths again. The first call to canonPath() should get rid of all the "../" and "./", so in theory the only way to leak a symlink if the attacker is able to put a symlink in one of the paths allowed by restricted evaluation mode. For the latter I don't think this is part of the threat model, because if the attacker can write to that path, the attack vector is even larger. Signed-off-by: aszlig <aszlig@nix.build> |
||
|---|---|---|
| .github | ||
| config | ||
| corepkgs | ||
| doc/manual | ||
| maintainers | ||
| misc | ||
| mk | ||
| perl | ||
| scripts | ||
| src | ||
| tests | ||
| .dir-locals.el | ||
| .editorconfig | ||
| .gitignore | ||
| .travis.yml | ||
| bootstrap.sh | ||
| configure.ac | ||
| COPYING | ||
| local.mk | ||
| Makefile | ||
| Makefile.config.in | ||
| nix.spec.in | ||
| README.md | ||
| release-common.nix | ||
| release.nix | ||
| shell.nix | ||
| version | ||
Nix, the purely functional package manager
Nix is a new take on package management that is fairly unique. Because of its purity aspects, a lot of issues found in traditional package managers don't appear with Nix.
To find out more about the tool, usage and installation instructions, please read the manual, which is available on the Nix website at http://nixos.org/nix/manual.
Contributing
Take a look at the Hacking Section of the manual. It helps you to get started with building Nix from source.
License
Nix is released under the LGPL v2.1
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit.