chicken-hackers
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Chicken-hackers] [patch] disallow slashes in egg names, ignore . an


From: Christian Kellermann
Subject: Re: [Chicken-hackers] [patch] disallow slashes in egg names, ignore . and ..
Date: Fri, 24 Feb 2012 22:01:33 +0100
User-agent: Mutt/1.5.21 (2010-09-15)

* Christian Kellermann <address@hidden> [120224 21:10]:
> Dear fellow hackers,
> 
> please find a patch attached to mitigate the potential security
> issue in henrietta by allowing "egg names" which can be interpreted
> as paths.

Please ignore this patch!

Disallowing slashes is probably not the way to go here, at least
not the way I have implemented it.

Can someone please explain to me which use case the cond clause
below represents?

 ((equal? "setup" (pathname-extension arg))
    (let ((egg (pathname-file arg)))
      (set! *eggs+dirs+vers*
        (alist-cons
         egg
         (list
          (let ((dir (pathname-directory arg)))
            (if dir
                (if (absolute-pathname? dir)
                    dir
                    (make-pathname (current-directory) dir) )
                (current-directory)))
          "")
         *eggs+dirs+vers*))
      (loop (cdr args) (cons egg eggs))))

This is the potential broken-by-my-patch code. Also as Jim has
pointed out this is only half the issue since in the dependency
list there also might be an egg containing a slash not just on the
command line. For example if a user loads a setup file containing
these as dependencies, then my approach would fail.

Disallowing it does not improve the henrietta security issue as it
is client side checking and snake oil (though it could prevent
accidentally malformed dependencies)

I would revert back to a much simpler version of this patch which
is attached to this email. If there is a good reason for disallowing
"/"s explicitly I'd love to hear about it.

Kind regards,

Christian

-- 
Who can (make) the muddy water (clear)? Let it be still, and it will
gradually become clear. Who can secure the condition of rest? Let
movement go on, and the condition of rest will gradually arise.
 -- Lao Tse. 

Attachment: 0001-Ignore-.-and-.-as-egg-names-in-chicken-install.patch
Description: Text document


reply via email to

[Prev in Thread] Current Thread [Next in Thread]