From d62f46e500958bc97ae6837911e27c20a47cc181 Mon Sep 17 00:00:00 2001
From: Shea Levy <shea@shealevy.com>
Date: Tue, 24 Jun 2014 10:50:03 -0400
Subject: [PATCH] Only add the importNative primop if the
allow-arbitrary-code-during-evaluation option is true (default false)
---
src/libexpr/primops.cc | 3 ++-
src/libstore/globals.cc | 2 ++
src/libstore/globals.hh | 3 +++
3 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/src/libexpr/primops.cc b/src/libexpr/primops.cc
index d6ac7c957..ff82f36b5 100644
--- a/src/libexpr/primops.cc
+++ b/src/libexpr/primops.cc
@@ -1368,7 +1368,8 @@ void EvalState::createBaseEnv()
mkApp(v, *baseEnv.values[baseEnvDispl - 1], *v2);
forceValue(v);
addConstant("import", v);
- addPrimOp("__importNative", 2, prim_importNative);
+ if (settings.enableImportNative)
+ addPrimOp("__importNative", 2, prim_importNative);
addPrimOp("__typeOf", 1, prim_typeOf);
addPrimOp("isNull", 1, prim_isNull);
addPrimOp("__isFunction", 1, prim_isFunction);
diff --git a/src/libstore/globals.cc b/src/libstore/globals.cc
index 180344e33..5d359e128 100644
--- a/src/libstore/globals.cc
+++ b/src/libstore/globals.cc
@@ -61,6 +61,7 @@ Settings::Settings()
envKeepDerivations = false;
lockCPU = getEnv("NIX_AFFINITY_HACK", "1") == "1";
showTrace = false;
+ enableImportNative = false;
}
@@ -148,6 +149,7 @@ void Settings::update()
get(sshSubstituterHosts, "ssh-substituter-hosts");
get(useSshSubstituter, "use-ssh-substituter");
get(logServers, "log-servers");
+ get(enableImportNative, "allow-arbitrary-code-during-evaluation");
string subs = getEnv("NIX_SUBSTITUTERS", "default");
if (subs == "default") {
diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh
index 65a6c388b..8dd59a9c7 100644
--- a/src/libstore/globals.hh
+++ b/src/libstore/globals.hh
@@ -200,6 +200,9 @@ struct Settings {
/* A list of URL prefixes that can return Nix build logs. */
Strings logServers;
+ /* Whether the importNative primop should be enabled */
+ bool enableImportNative;
+
private:
SettingsMap settings, overrides;
--
GitLab