summary refs log tree commit diff
path: root/pkgs/build-support/setup-hooks
diff options
context:
space:
mode:
Diffstat (limited to 'pkgs/build-support/setup-hooks')
-rw-r--r--pkgs/build-support/setup-hooks/audit-tmpdir.sh41
-rw-r--r--pkgs/build-support/setup-hooks/multiple-outputs.sh2
2 files changed, 42 insertions, 1 deletions
diff --git a/pkgs/build-support/setup-hooks/audit-tmpdir.sh b/pkgs/build-support/setup-hooks/audit-tmpdir.sh
new file mode 100644
index 00000000000..ffaa61f2d80
--- /dev/null
+++ b/pkgs/build-support/setup-hooks/audit-tmpdir.sh
@@ -0,0 +1,41 @@
+# Check whether RPATHs or wrapper scripts contain references to
+# $TMPDIR. This is a serious security bug because it allows any user
+# to inject files into search paths of other users' processes.
+#
+# It might be better to have Nix scan build output for any occurrence
+# of $TMPDIR (which would also be good for reproducibility), but at
+# the moment that would produce too many spurious errors (e.g. debug
+# info or assertion messages that refer to $TMPDIR).
+
+fixupOutputHooks+=('if [ -z "$noAuditTmpdir" -a -e "$prefix" ]; then auditTmpdir "$prefix"; fi')
+
+auditTmpdir() {
+    local dir="$1"
+    [ -e "$dir" ] || return 0
+
+    header "checking for references to $TMPDIR in $dir..."
+
+    local i
+    while IFS= read -r -d $'\0' i; do
+        if [[ "$i" =~ .build-id ]]; then continue; fi
+
+        if isELF "$i"; then
+            if patchelf --print-rpath "$i" | grep -q -F "$TMPDIR"; then
+                echo "RPATH of binary $i contains a forbidden reference to $TMPDIR"
+                exit 1
+            fi
+        fi
+
+        if  isScript "$i"; then
+            if [ -e "$(dirname $i)/.$(basename $i)-wrapped" ]; then
+                if grep -q -F "$TMPDIR" "$i"; then
+                    echo "wrapper script $i contains a forbidden reference to $TMPDIR"
+                    exit 1
+                fi
+            fi
+        fi
+
+    done < <(find "$dir" -type f -print0)
+
+    stopNest
+}
diff --git a/pkgs/build-support/setup-hooks/multiple-outputs.sh b/pkgs/build-support/setup-hooks/multiple-outputs.sh
index eafc770a8e1..62a6491b8dc 100644
--- a/pkgs/build-support/setup-hooks/multiple-outputs.sh
+++ b/pkgs/build-support/setup-hooks/multiple-outputs.sh
@@ -61,7 +61,7 @@ _multioutConfig() {
             local shareDocName="$(sed -n "s/^PACKAGE_TARNAME='\(.*\)'$/\1/p" < "$confScript")"
         fi
                                     # PACKAGE_TARNAME sometimes contains garbage.
-        if [ -n "$shareDocName" ] || echo "$shareDocName" | grep -q '[^a-zA-Z-_0-9]'; then
+        if [ -n "$shareDocName" ] || echo "$shareDocName" | grep -q '[^a-zA-Z0-9_-]'; then
             shareDocName="$(echo "$name" | sed 's/-[^a-zA-Z].*//')"
         fi
     fi
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-11 04:49:00 +0000