diff options
author | eldritch horrors <pennae@lix.systems> | 2024-10-22 18:00:00 +0200 |
---|---|---|
committer | eldritch horrors <pennae@lix.systems> | 2024-10-23 11:32:14 +0000 |
commit | 67f1aafd610c028b160f2f2ac805e671ed7073de (patch) | |
tree | b3c446132769e130b023642b4d0cb618b7e4a483 | |
parent | 1d9d40b2a663464f1e6800d6de8df61433507423 (diff) |
libstore: restrict curl protocols
previously it was possible to fetchurl a dict server, or an ldap server,
or an imap server. this is a bit of a problem, both because rare schemes
may not be available on all systems, and because some schemes (e.g. scp)
are inherently insecure in potentially surprising ways we needn't allow.
Change-Id: I18fc567c6f58c3221b5ea8ce927f4da780057828
-rw-r--r-- | doc/manual/rl-next/download-protocols.md | 10 | ||||
-rw-r--r-- | src/libstore/filetransfer.cc | 2 |
2 files changed, 12 insertions, 0 deletions
diff --git a/doc/manual/rl-next/download-protocols.md b/doc/manual/rl-next/download-protocols.md new file mode 100644 index 000000000..bf1bf79a3 --- /dev/null +++ b/doc/manual/rl-next/download-protocols.md @@ -0,0 +1,10 @@ +--- +synopsis: "transfers no longer allow arbitrary url schemas" +category: Breaking Changes +cls: [2106] +credits: horrors +--- + +Lix no longer allows transfers using arbitrary url schemas. Only `http://`, `https://`, `ftp://`, `ftps://`, and `file://` urls are supported going forward. This affects `builtins.fetchurl`, `<nix/fetchurl.nix>`, transfers to and from binary caches, and all other uses of the internal file transfer code. Flake inputs using multi-protocol schemas (e.g. `git+ssh`) are not affected as those use external utilities to transfer data. + +The `s3://` scheme is not affected at all by this change and continues to work if S3 support is built into Lix. diff --git a/src/libstore/filetransfer.cc b/src/libstore/filetransfer.cc index 34b92148e..acbb042b7 100644 --- a/src/libstore/filetransfer.cc +++ b/src/libstore/filetransfer.cc @@ -282,6 +282,8 @@ struct curlFileTransfer : public FileTransfer curl_easy_setopt(req, CURLOPT_PROGRESSDATA, this); curl_easy_setopt(req, CURLOPT_NOPROGRESS, 0); + curl_easy_setopt(req, CURLOPT_PROTOCOLS_STR, "http,https,ftp,ftps,file"); + curl_easy_setopt(req, CURLOPT_HTTPHEADER, requestHeaders); if (settings.downloadSpeed.get() > 0) |