Do some validation of URLs

9cd63d22 · Eelco Dolstra · f3eb29c6 · 9cd63d22 · 9cd63d22 · 9cd63d22
Commit 9cd63d22 authored 12 years ago by Eelco Dolstra
--- a/perl/Makefile.am
+++ b/perl/Makefile.am
-PERL_MODULES = lib/Nix/Store.pm lib/Nix/Manifest.pm lib/Nix/GeneratePatches.pm lib/Nix/SSH.pm lib/Nix/CopyClosure.pm lib/Nix/Config.pm.in
+PERL_MODULES = lib/Nix/Store.pm lib/Nix/Manifest.pm lib/Nix/GeneratePatches.pm lib/Nix/SSH.pm lib/Nix/CopyClosure.pm lib/Nix/Config.pm.in lib/Nix/Utils.pm
 all: $(PERL_MODULES:.in=)

--- a/scripts/download-from-binary-cache.pl.in
+++ b/scripts/download-from-binary-cache.pl.in
@@ -5,6 +5,7 @@ use File::Basename;
 use IO::Select;
 use Nix::Config;
 use Nix::Store;
+use Nix::Utils;
 use WWW::Curl::Easy;
 use WWW::Curl::Multi;
 use strict;
@@ -249,8 +250,6 @@ sub processNARInfo {
        return undef;
    }
-    # FIXME: validate $url etc. for security.
    # Cache the result.
    $insertNAR->execute(
        $cache->{id}, basename($storePath), $url, $compression, $fileHash, $fileSize,
@@ -455,6 +454,7 @@ sub downloadBinary {
        }
        my $url = "$cache->{url}/$info->{url}"; # FIXME: handle non-relative URLs
        print STDERR "\n*** Downloading ‘$url’ into ‘$storePath’...\n";
+        Nix::Utils::checkURL $url;
        if (system("$Nix::Config::curl --fail --location --insecure '$url' | $decompressor | $Nix::Config::binDir/nix-store --restore $storePath") != 0) {
            die "download of `$info->{url}' failed" . ($! ? ": $!" : "") . "\n" unless $? == 0;
            next;

--- a/scripts/download-using-manifests.pl.in
+++ b/scripts/download-using-manifests.pl.in
@@ -4,6 +4,7 @@ use strict;
 use Nix::Config;
 use Nix::Manifest;
 use Nix::Store;
+use Nix::Utils;
 use POSIX qw(strftime);
 use File::Temp qw(tempdir);
@@ -306,6 +307,7 @@ while (scalar @path > 0) {
        # Download the patch.
        print STDERR "  downloading patch...\n";
        my $patchPath = "$tmpDir/patch";
+        Nix::Utils::checkURL $patch->{url};
        system("$curl '$patch->{url}' -o $patchPath") == 0
            or die "cannot download patch `$patch->{url}'\n";
@@ -336,6 +338,7 @@ while (scalar @path > 0) {
        my $size = $narFile->{size} || -1;
        print LOGFILE "$$ narfile $narFile->{url} $size $v\n";
+        Nix::Utils::checkURL $narFile->{url};
        if ($curStep < $maxStep) {
            # The archive will be used a base to a patch.
            system("$curl '$narFile->{url}' | $Nix::Config::bzip2 -d > $tmpNar") == 0

--- a/scripts/nix-install-package.in
+++ b/scripts/nix-install-package.in
@@ -3,6 +3,7 @@
 use strict;
 use File::Temp qw(tempdir);
 use Nix::Config;
+use Nix::Utils;
 sub usageError {
@@ -72,7 +73,7 @@ my $tmpDir = tempdir("nix-install-package.XXXXXX", CLEANUP => 1, TMPDIR => 1)
 sub barf {
    my $msg = shift;
-    print "$msg\n";
+    print "\nInstallation failed: $msg\n";
    <STDIN> if $interactive;
    exit 1;
 }
@@ -92,7 +93,6 @@ open PKGFILE, "<$pkgFile" or barf "cannot open `$pkgFile': $!";
 my $contents = <PKGFILE>;
 close PKGFILE;
-my $urlRE = "(?: [a-zA-Z][a-zA-Z0-9\+\-\.]*\:[a-zA-Z0-9\%\/\?\:\@\&\=\+\$\,\-\_\.\!\~\*\']+ )";
 my $nameRE = "(?: [A-Za-z0-9\+\-\.\_\?\=]+ )"; # see checkStoreName()
 my $systemRE = "(?: [A-Za-z0-9\+\-\_]+ )";
 my $pathRE = "(?: \/ [\/A-Za-z0-9\+\-\.\_\?\=]* )";
@@ -101,7 +101,7 @@ my $pathRE = "(?: \/ [\/A-Za-z0-9\+\-\.\_\?\=]* )";
 # store path.  We'll let nix-env do that.
 $contents =~
-    / ^ \s* (\S+) \s+ ($urlRE) \s+ ($nameRE) \s+ ($systemRE) \s+ ($pathRE) \s+ ($pathRE) ( \s+ ($urlRE) )?  /x
+    / ^ \s* (\S+) \s+ ($Nix::Utils::urlRE) \s+ ($nameRE) \s+ ($systemRE) \s+ ($pathRE) \s+ ($pathRE) ( \s+ ($Nix::Utils::urlRE) )?  /x
    or barf "invalid package contents";
 my $version = $1;
 my $manifestURL = $2;