checkURI(): Check file URIs against allowedPaths

This makes e.g. 'fetchGit ./.' work (assuming that ./. is an allowed path).
2018-02-06 14:35:14 +01:00 · 2018-02-06 14:35:14 +01:00 · f24e726ba5
parent f539085e65
commit f24e726ba5
1 changed files with 12 additions and 0 deletions
--- a/src/libexpr/eval.cc
+++ b/src/libexpr/eval.cc
@ -378,6 +378,18 @@ void EvalState::checkURI(const std::string & uri)
            && (prefix[prefix.size() - 1] == '/' || uri[prefix.size()] == '/')))
            return;

+    /* If the URI is a path, then check it against allowedPaths as
+       well. */
+    if (hasPrefix(uri, "/")) {
+        checkSourcePath(uri);
+        return;
+    }
+
+    if (hasPrefix(uri, "file://")) {
+        checkSourcePath(std::string(uri, 7));
+        return;
+    }
+
    throw RestrictedPathError("access to URI '%s' is forbidden in restricted mode", uri);
 }