diff --git a/perl/Makefile.am b/perl/Makefile.am index d1f9b1c741..e428943530 100644 --- a/perl/Makefile.am +++ b/perl/Makefile.am @@ -1,4 +1,4 @@ -PERL_MODULES = lib/Nix/Store.pm lib/Nix/Manifest.pm lib/Nix/GeneratePatches.pm lib/Nix/SSH.pm lib/Nix/CopyClosure.pm lib/Nix/Config.pm.in +PERL_MODULES = lib/Nix/Store.pm lib/Nix/Manifest.pm lib/Nix/GeneratePatches.pm lib/Nix/SSH.pm lib/Nix/CopyClosure.pm lib/Nix/Config.pm.in lib/Nix/Utils.pm all: $(PERL_MODULES:.in=) diff --git a/scripts/download-from-binary-cache.pl.in b/scripts/download-from-binary-cache.pl.in index 7e203ec9d0..5d65e664e5 100644 --- a/scripts/download-from-binary-cache.pl.in +++ b/scripts/download-from-binary-cache.pl.in @@ -5,6 +5,7 @@ use File::Basename; use IO::Select; use Nix::Config; use Nix::Store; +use Nix::Utils; use WWW::Curl::Easy; use WWW::Curl::Multi; use strict; @@ -249,8 +250,6 @@ sub processNARInfo { return undef; } - # FIXME: validate $url etc. for security. - # Cache the result. $insertNAR->execute( $cache->{id}, basename($storePath), $url, $compression, $fileHash, $fileSize, @@ -455,6 +454,7 @@ sub downloadBinary { } my $url = "$cache->{url}/$info->{url}"; # FIXME: handle non-relative URLs print STDERR "\n*** Downloading ‘$url’ into ‘$storePath’...\n"; + Nix::Utils::checkURL $url; if (system("$Nix::Config::curl --fail --location --insecure '$url' | $decompressor | $Nix::Config::binDir/nix-store --restore $storePath") != 0) { die "download of `$info->{url}' failed" . ($! ? ": $!" : "") . "\n" unless $? == 0; next; diff --git a/scripts/download-using-manifests.pl.in b/scripts/download-using-manifests.pl.in index 04bcce90da..24f7c98e0c 100755 --- a/scripts/download-using-manifests.pl.in +++ b/scripts/download-using-manifests.pl.in @@ -4,6 +4,7 @@ use strict; use Nix::Config; use Nix::Manifest; use Nix::Store; +use Nix::Utils; use POSIX qw(strftime); use File::Temp qw(tempdir); @@ -306,6 +307,7 @@ while (scalar @path > 0) { # Download the patch. print STDERR " downloading patch...\n"; my $patchPath = "$tmpDir/patch"; + Nix::Utils::checkURL $patch->{url}; system("$curl '$patch->{url}' -o $patchPath") == 0 or die "cannot download patch `$patch->{url}'\n"; @@ -336,6 +338,7 @@ while (scalar @path > 0) { my $size = $narFile->{size} || -1; print LOGFILE "$$ narfile $narFile->{url} $size $v\n"; + Nix::Utils::checkURL $narFile->{url}; if ($curStep < $maxStep) { # The archive will be used a base to a patch. system("$curl '$narFile->{url}' | $Nix::Config::bzip2 -d > $tmpNar") == 0 diff --git a/scripts/nix-install-package.in b/scripts/nix-install-package.in index 35d5f9d530..6564529385 100755 --- a/scripts/nix-install-package.in +++ b/scripts/nix-install-package.in @@ -3,6 +3,7 @@ use strict; use File::Temp qw(tempdir); use Nix::Config; +use Nix::Utils; sub usageError { @@ -72,7 +73,7 @@ my $tmpDir = tempdir("nix-install-package.XXXXXX", CLEANUP => 1, TMPDIR => 1) sub barf { my $msg = shift; - print "$msg\n"; + print "\nInstallation failed: $msg\n"; if $interactive; exit 1; } @@ -92,7 +93,6 @@ open PKGFILE, "<$pkgFile" or barf "cannot open `$pkgFile': $!"; my $contents = ; close PKGFILE; -my $urlRE = "(?: [a-zA-Z][a-zA-Z0-9\+\-\.]*\:[a-zA-Z0-9\%\/\?\:\@\&\=\+\$\,\-\_\.\!\~\*\']+ )"; my $nameRE = "(?: [A-Za-z0-9\+\-\.\_\?\=]+ )"; # see checkStoreName() my $systemRE = "(?: [A-Za-z0-9\+\-\_]+ )"; my $pathRE = "(?: \/ [\/A-Za-z0-9\+\-\.\_\?\=]* )"; @@ -101,7 +101,7 @@ my $pathRE = "(?: \/ [\/A-Za-z0-9\+\-\.\_\?\=]* )"; # store path. We'll let nix-env do that. $contents =~ - / ^ \s* (\S+) \s+ ($urlRE) \s+ ($nameRE) \s+ ($systemRE) \s+ ($pathRE) \s+ ($pathRE) ( \s+ ($urlRE) )? /x + / ^ \s* (\S+) \s+ ($Nix::Utils::urlRE) \s+ ($nameRE) \s+ ($systemRE) \s+ ($pathRE) \s+ ($pathRE) ( \s+ ($Nix::Utils::urlRE) )? /x or barf "invalid package contents"; my $version = $1; my $manifestURL = $2;