diff options
| author | Reepca Russelstein <reepca@russelstein.xyz> | 2025-09-01 19:51:18 -0500 |
|---|---|---|
| committer | Ludovic Courtès <ludo@gnu.org> | 2025-10-12 22:22:01 +0200 |
| commit | b39f914b3ef779ab50b2af5e4eee0d0f93e9b7f4 (patch) | |
| tree | f699f7f9985488c47f5816d8a7f16d6f58f47908 /guix/tests/git.scm | |
| parent | 4f5dd898c9b4ab8eeba2ec49e35bdcff36e5cc35 (diff) | |
scripts: perform-download: explicitly disallow local file downloads.
In the case of the rootless daemon, perform-download runs as the daemon user.
There are files - such as /etc/guix/signing-key.sec - that guix-daemon can
read but that it is essential that ordinary users cannot.
Currently url-fetch can't access raw filenames, and it doesn't include a case
for "file://" urls. 'git-fetch-with-fallback' can fetch from "file://" urls,
but it requires that the specified url is a valid git repository.
To be on the safe side, and to insulate against any changes to what url-fetch
and git support, explicitly disallow raw filenames and "file://" urls.
* guix/scripts/perform-download.scm (assert-non-local-urls): new procedure.
(perform-download, perform-git-download): use it.
Change-Id: Ibf2a91e696246eccb89c2423fcbcabb2131d3be5
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
Diffstat (limited to 'guix/tests/git.scm')
0 files changed, 0 insertions, 0 deletions