Add option allowed-uris

This allows network access in restricted eval mode.
author: Eelco Dolstra <edolstra@gmail.com> 2017-10-30 12:39:59 +0100
committer: Eelco Dolstra <edolstra@gmail.com> 2017-10-30 12:41:49 +0100
commit: 812e027e1d5a4f83394069edd67bdf8404ffa2bb (patch)
tree: fe11aee398ea3ddfa0a8117c566e2ed1c6435883 /src/libexpr/primops
parent: f1c555cef870654cdaf232b5d08fdbba0bf06add (diff)
1 files changed, 4 insertions, 3 deletions
diff --git a/src/libexpr/primops/fetchgit.cc b/src/libexpr/primops/fetchgit.cc
index 38bffd8db..81b641900 100644
--- a/src/libexpr/primops/fetchgit.cc
+++ b/src/libexpr/primops/fetchgit.cc
@@ -113,9 +113,6 @@ GitInfo exportGit(ref<Store> store, const std::string & uri,
 
 static void prim_fetchGit(EvalState & state, const Pos & pos, Value * * args, Value & v)
 {
-    // FIXME: cut&paste from fetch().
-    if (state.restricted) throw Error("'fetchGit' is not allowed in restricted mode");
-
     std::string url;
     std::string ref = "master";
     std::string rev;
@@ -150,6 +147,10 @@ static void prim_fetchGit(EvalState & state, const Pos & pos, Value * * args, Va
     } else
         url = state.forceStringNoCtx(*args[0], pos);
 
+    // FIXME: git externals probably can be used to bypass the URI
+    // whitelist. Ah well.
+    state.checkURI(url);
+
     auto gitInfo = exportGit(state.store, url, ref, rev, name);
 
     state.mkAttrs(v, 8);
author	Eelco Dolstra <edolstra@gmail.com>	2017-10-30 12:39:59 +0100
committer	Eelco Dolstra <edolstra@gmail.com>	2017-10-30 12:41:49 +0100
commit	812e027e1d5a4f83394069edd67bdf8404ffa2bb (patch)
tree	fe11aee398ea3ddfa0a8117c566e2ed1c6435883 /src/libexpr/primops
parent	f1c555cef870654cdaf232b5d08fdbba0bf06add (diff)