diff options
| author | Vladimír Čunát <vcunat@gmail.com> | 2017-05-26 15:42:47 +0200 |
|---|---|---|
| committer | Vladimír Čunát <vcunat@gmail.com> | 2017-05-26 15:45:43 +0200 |
| commit | 00672dec8a1367a1d559660aa7a125b31f3f6562 (patch) | |
| tree | cf10194cc5aafae004499df5ce1ad28eb3123c2f /pkgs/build-support | |
| parent | 574e4e296f16939edfd2d4f1b2ea453c5c341927 (diff) | |
| parent | b7fed33057e29fa0d5ab4921598d037c040baae6 (diff) | |
| download | nixlib-00672dec8a1367a1d559660aa7a125b31f3f6562.tar nixlib-00672dec8a1367a1d559660aa7a125b31f3f6562.tar.gz nixlib-00672dec8a1367a1d559660aa7a125b31f3f6562.tar.bz2 nixlib-00672dec8a1367a1d559660aa7a125b31f3f6562.tar.lz nixlib-00672dec8a1367a1d559660aa7a125b31f3f6562.tar.xz nixlib-00672dec8a1367a1d559660aa7a125b31f3f6562.tar.zst nixlib-00672dec8a1367a1d559660aa7a125b31f3f6562.zip | |
Merge older staging
This still causes some uncached rebuilds, but master(!) and staging move too fast forward rebuild-wise, so Hydra might never catch up. (There are also other occasional problems.) Therefore I merge at this point where the rebuild isn't that bad.
Diffstat (limited to 'pkgs/build-support')
| -rw-r--r-- | pkgs/build-support/cc-wrapper/utils.sh | 67 | ||||
| -rw-r--r-- | pkgs/build-support/setup-hooks/audit-tmpdir.sh | 41 | ||||
| -rw-r--r-- | pkgs/build-support/setup-hooks/multiple-outputs.sh | 2 |
3 files changed, 90 insertions, 20 deletions
diff --git a/pkgs/build-support/cc-wrapper/utils.sh b/pkgs/build-support/cc-wrapper/utils.sh index aba5f3295a98..d17930e8ab5d 100644 --- a/pkgs/build-support/cc-wrapper/utils.sh +++ b/pkgs/build-support/cc-wrapper/utils.sh @@ -23,26 +23,55 @@ badPath() { "${p:0:${#NIX_BUILD_TOP}}" != "$NIX_BUILD_TOP" } +# @args.rsp parser. +# Char classes: space, other, backslash, single quote, double quote. +# States: 0 - outside, 1/2 - unquoted arg/slash, 3/4 - 'arg'/slash, 5/6 - "arg"/slash. +# State transitions: +rspT=(01235 01235 11111 33413 33333 55651 55555) +# Push char on transition: +rspC[01]=1 rspC[11]=1 rspC[21]=1 rspC[33]=1 rspC[43]=1 rspC[55]=1 rspC[65]=1 + +rspParse() { + rsp=() + local s="$1" + local state=0 + local arg='' + + for (( i=0; i<${#s}; i++ )); do + local c="${s:$i:1}" + local cls=1 + case "$c" in + ' ' | $'\t' | $'\r' | $'\n') cls=0 ;; + '\') cls=2 ;; + "'") cls=3 ;; + '"') cls=4 ;; + esac + local nextstates="${rspT[$state]}" + local nextstate="${nextstates:$cls:1}" + if [ "${rspC[$state$nextstate]}" ]; then + arg+="$c" + elif [ "$state$nextstate" = "10" ]; then + rsp+=("$arg") + arg='' + fi + state="$nextstate" + done + + if [ "$state" -ne 0 ]; then + rsp+=("$arg") + fi +} + expandResponseParams() { - local inparams=("$@") - local n=0 - local p params=() - while [ $n -lt ${#inparams[*]} ]; do - p=${inparams[n]} - case $p in - @*) - if [ -e "${p:1}" ]; then - args=$(<"${p:1}") - eval 'for arg in '${args//$/\\$}'; do params+=("$arg"); done' - else - params+=("$p") - fi - ;; - *) - params+=("$p") - ;; - esac - n=$((n + 1)) + while [ $# -gt 0 ]; do + local p="$1" + shift + if [ "${p:0:1}" = '@' -a -e "${p:1}" ]; then + rspParse "$(<"${p:1}")" + set -- "${rsp[@]}" "$@" + else + params+=("$p") + fi done } diff --git a/pkgs/build-support/setup-hooks/audit-tmpdir.sh b/pkgs/build-support/setup-hooks/audit-tmpdir.sh new file mode 100644 index 000000000000..ffaa61f2d809 --- /dev/null +++ b/pkgs/build-support/setup-hooks/audit-tmpdir.sh @@ -0,0 +1,41 @@ +# Check whether RPATHs or wrapper scripts contain references to +# $TMPDIR. This is a serious security bug because it allows any user +# to inject files into search paths of other users' processes. +# +# It might be better to have Nix scan build output for any occurrence +# of $TMPDIR (which would also be good for reproducibility), but at +# the moment that would produce too many spurious errors (e.g. debug +# info or assertion messages that refer to $TMPDIR). + +fixupOutputHooks+=('if [ -z "$noAuditTmpdir" -a -e "$prefix" ]; then auditTmpdir "$prefix"; fi') + +auditTmpdir() { + local dir="$1" + [ -e "$dir" ] || return 0 + + header "checking for references to $TMPDIR in $dir..." + + local i + while IFS= read -r -d $'\0' i; do + if [[ "$i" =~ .build-id ]]; then continue; fi + + if isELF "$i"; then + if patchelf --print-rpath "$i" | grep -q -F "$TMPDIR"; then + echo "RPATH of binary $i contains a forbidden reference to $TMPDIR" + exit 1 + fi + fi + + if isScript "$i"; then + if [ -e "$(dirname $i)/.$(basename $i)-wrapped" ]; then + if grep -q -F "$TMPDIR" "$i"; then + echo "wrapper script $i contains a forbidden reference to $TMPDIR" + exit 1 + fi + fi + fi + + done < <(find "$dir" -type f -print0) + + stopNest +} diff --git a/pkgs/build-support/setup-hooks/multiple-outputs.sh b/pkgs/build-support/setup-hooks/multiple-outputs.sh index eafc770a8e17..62a6491b8dc0 100644 --- a/pkgs/build-support/setup-hooks/multiple-outputs.sh +++ b/pkgs/build-support/setup-hooks/multiple-outputs.sh @@ -61,7 +61,7 @@ _multioutConfig() { local shareDocName="$(sed -n "s/^PACKAGE_TARNAME='\(.*\)'$/\1/p" < "$confScript")" fi # PACKAGE_TARNAME sometimes contains garbage. - if [ -n "$shareDocName" ] || echo "$shareDocName" | grep -q '[^a-zA-Z-_0-9]'; then + if [ -n "$shareDocName" ] || echo "$shareDocName" | grep -q '[^a-zA-Z0-9_-]'; then shareDocName="$(echo "$name" | sed 's/-[^a-zA-Z].*//')" fi fi |