Do some validation of URLs

This commit is contained in:
Eelco Dolstra 2012-07-30 17:09:36 -04:00
parent f3eb29c653
commit 9cd63d2244
4 changed files with 9 additions and 6 deletions

View file

@ -1,4 +1,4 @@
PERL_MODULES = lib/Nix/Store.pm lib/Nix/Manifest.pm lib/Nix/GeneratePatches.pm lib/Nix/SSH.pm lib/Nix/CopyClosure.pm lib/Nix/Config.pm.in PERL_MODULES = lib/Nix/Store.pm lib/Nix/Manifest.pm lib/Nix/GeneratePatches.pm lib/Nix/SSH.pm lib/Nix/CopyClosure.pm lib/Nix/Config.pm.in lib/Nix/Utils.pm
all: $(PERL_MODULES:.in=) all: $(PERL_MODULES:.in=)

View file

@ -5,6 +5,7 @@ use File::Basename;
use IO::Select; use IO::Select;
use Nix::Config; use Nix::Config;
use Nix::Store; use Nix::Store;
use Nix::Utils;
use WWW::Curl::Easy; use WWW::Curl::Easy;
use WWW::Curl::Multi; use WWW::Curl::Multi;
use strict; use strict;
@ -249,8 +250,6 @@ sub processNARInfo {
return undef; return undef;
} }
# FIXME: validate $url etc. for security.
# Cache the result. # Cache the result.
$insertNAR->execute( $insertNAR->execute(
$cache->{id}, basename($storePath), $url, $compression, $fileHash, $fileSize, $cache->{id}, basename($storePath), $url, $compression, $fileHash, $fileSize,
@ -455,6 +454,7 @@ sub downloadBinary {
} }
my $url = "$cache->{url}/$info->{url}"; # FIXME: handle non-relative URLs my $url = "$cache->{url}/$info->{url}"; # FIXME: handle non-relative URLs
print STDERR "\n*** Downloading $url into $storePath...\n"; print STDERR "\n*** Downloading $url into $storePath...\n";
Nix::Utils::checkURL $url;
if (system("$Nix::Config::curl --fail --location --insecure '$url' | $decompressor | $Nix::Config::binDir/nix-store --restore $storePath") != 0) { if (system("$Nix::Config::curl --fail --location --insecure '$url' | $decompressor | $Nix::Config::binDir/nix-store --restore $storePath") != 0) {
die "download of `$info->{url}' failed" . ($! ? ": $!" : "") . "\n" unless $? == 0; die "download of `$info->{url}' failed" . ($! ? ": $!" : "") . "\n" unless $? == 0;
next; next;

View file

@ -4,6 +4,7 @@ use strict;
use Nix::Config; use Nix::Config;
use Nix::Manifest; use Nix::Manifest;
use Nix::Store; use Nix::Store;
use Nix::Utils;
use POSIX qw(strftime); use POSIX qw(strftime);
use File::Temp qw(tempdir); use File::Temp qw(tempdir);
@ -306,6 +307,7 @@ while (scalar @path > 0) {
# Download the patch. # Download the patch.
print STDERR " downloading patch...\n"; print STDERR " downloading patch...\n";
my $patchPath = "$tmpDir/patch"; my $patchPath = "$tmpDir/patch";
Nix::Utils::checkURL $patch->{url};
system("$curl '$patch->{url}' -o $patchPath") == 0 system("$curl '$patch->{url}' -o $patchPath") == 0
or die "cannot download patch `$patch->{url}'\n"; or die "cannot download patch `$patch->{url}'\n";
@ -336,6 +338,7 @@ while (scalar @path > 0) {
my $size = $narFile->{size} || -1; my $size = $narFile->{size} || -1;
print LOGFILE "$$ narfile $narFile->{url} $size $v\n"; print LOGFILE "$$ narfile $narFile->{url} $size $v\n";
Nix::Utils::checkURL $narFile->{url};
if ($curStep < $maxStep) { if ($curStep < $maxStep) {
# The archive will be used a base to a patch. # The archive will be used a base to a patch.
system("$curl '$narFile->{url}' | $Nix::Config::bzip2 -d > $tmpNar") == 0 system("$curl '$narFile->{url}' | $Nix::Config::bzip2 -d > $tmpNar") == 0

View file

@ -3,6 +3,7 @@
use strict; use strict;
use File::Temp qw(tempdir); use File::Temp qw(tempdir);
use Nix::Config; use Nix::Config;
use Nix::Utils;
sub usageError { sub usageError {
@ -72,7 +73,7 @@ my $tmpDir = tempdir("nix-install-package.XXXXXX", CLEANUP => 1, TMPDIR => 1)
sub barf { sub barf {
my $msg = shift; my $msg = shift;
print "$msg\n"; print "\nInstallation failed: $msg\n";
<STDIN> if $interactive; <STDIN> if $interactive;
exit 1; exit 1;
} }
@ -92,7 +93,6 @@ open PKGFILE, "<$pkgFile" or barf "cannot open `$pkgFile': $!";
my $contents = <PKGFILE>; my $contents = <PKGFILE>;
close PKGFILE; close PKGFILE;
my $urlRE = "(?: [a-zA-Z][a-zA-Z0-9\+\-\.]*\:[a-zA-Z0-9\%\/\?\:\@\&\=\+\$\,\-\_\.\!\~\*\']+ )";
my $nameRE = "(?: [A-Za-z0-9\+\-\.\_\?\=]+ )"; # see checkStoreName() my $nameRE = "(?: [A-Za-z0-9\+\-\.\_\?\=]+ )"; # see checkStoreName()
my $systemRE = "(?: [A-Za-z0-9\+\-\_]+ )"; my $systemRE = "(?: [A-Za-z0-9\+\-\_]+ )";
my $pathRE = "(?: \/ [\/A-Za-z0-9\+\-\.\_\?\=]* )"; my $pathRE = "(?: \/ [\/A-Za-z0-9\+\-\.\_\?\=]* )";
@ -101,7 +101,7 @@ my $pathRE = "(?: \/ [\/A-Za-z0-9\+\-\.\_\?\=]* )";
# store path. We'll let nix-env do that. # store path. We'll let nix-env do that.
$contents =~ $contents =~
/ ^ \s* (\S+) \s+ ($urlRE) \s+ ($nameRE) \s+ ($systemRE) \s+ ($pathRE) \s+ ($pathRE) ( \s+ ($urlRE) )? /x / ^ \s* (\S+) \s+ ($Nix::Utils::urlRE) \s+ ($nameRE) \s+ ($systemRE) \s+ ($pathRE) \s+ ($pathRE) ( \s+ ($Nix::Utils::urlRE) )? /x
or barf "invalid package contents"; or barf "invalid package contents";
my $version = $1; my $version = $1;
my $manifestURL = $2; my $manifestURL = $2;