wroclaw-git-backups/nix
1
0
Fork 0
mirror of https://github.com/NixOS/nix synced 2025-07-18 02:58:27 +02:00
Code Activity

Check the CA hash when importing stuff in the local store

Browse source 
When adding a path to the local store (via `LocalStore::addToStore`),
ensure that the `ca` field of the provided `ValidPathInfo` does indeed
correspond to the content of the path.
Otherwise any untrusted user (or any binary cache) can add arbitrary
content-addressed paths to the store (as content-addressed paths don’t
need a signature).
This commit is contained in:
regnat 2021-05-27 13:25:25 +02:00 committed by Eelco Dolstra
parent 5713ff48c3
commit 3dbd83b9a1
4 changed files with 97 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

1
tests/local.mk
View file

@ -12,6 +12,7 @@ nix_tests = \
timeout.sh secure-drv-outputs.sh nix-channel.sh \
multiple-outputs.sh import-derivation.sh fetchurl.sh optimise-store.sh \
binary-cache.sh nix-profile.sh repair.sh dump-db.sh case-hack.sh \
substitute-with-invalid-ca.sh \
check-reqs.sh pass-as-file.sh tarball.sh restricted.sh \
placeholders.sh nix-shell.sh \
linux-sandbox.sh \