From 5e5d6613a3837586ccab51cd988b44c7df99253b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= Date: Mon, 23 Apr 2018 14:33:11 +0200 Subject: [PATCH] download: Use ungrafted tools in 'url-fetch/tarbomb' and 'url-fetch/zipbomb'. Fixes . Reported by Diego Nicola Barbato . * guix/download.scm (url-fetch/tarbomb): Pass #:graft? #f to 'gexp->derivation'. (url-fetch/zipbomb): Likewise. --- guix/download.scm | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/guix/download.scm b/guix/download.scm index 5044534bf5..7aa6c03665 100644 --- a/guix/download.scm +++ b/guix/download.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017 Ludovic Courtès +;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017, 2018 Ludovic Courtès ;;; Copyright © 2013, 2014, 2015 Andreas Enge ;;; Copyright © 2015 Federico Beffa ;;; Copyright © 2016 Alex Griffin @@ -509,6 +509,8 @@ own. This helper makes it easier to deal with \"tar bombs\"." #:system system #:guile guile))) ;; Take the tar bomb, and simply unpack it as a directory. + ;; Use ungrafted tar/gzip so that the resulting tarball doesn't depend on + ;; whether grafts are enabled. (gexp->derivation (or name file-name) #~(begin (mkdir #$output) @@ -516,6 +518,7 @@ own. This helper makes it easier to deal with \"tar bombs\"." (chdir #$output) (zero? (system* (string-append #$tar "/bin/tar") "xf" #$drv))) + #:graft? #f #:local-build? #t))) (define* (url-fetch/zipbomb url hash-algo hash @@ -539,12 +542,15 @@ own. This helper makes it easier to deal with \"zip bombs\"." #:system system #:guile guile))) ;; Take the zip bomb, and simply unpack it as a directory. + ;; Use ungrafted unzip so that the resulting tarball doesn't depend on + ;; whether grafts are enabled. (gexp->derivation (or name file-name) #~(begin (mkdir #$output) (chdir #$output) (zero? (system* (string-append #$unzip "/bin/unzip") #$drv))) + #:graft? #f #:local-build? #t))) (define* (download-to-store store url #:optional (name (basename url))