Re: zipbomb handling should not be done in url-fetch/zipbomb

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: zipbomb handling should not be done in url-fetch/zipbomb

From:	Arun Isaac
Subject:	Re: zipbomb handling should not be done in url-fetch/zipbomb
Date:	Wed, 21 Jun 2017 00:19:44 +0530

>> * Proposal
>>
>> zip bomb (zip archives without a top level directory) handling should
>> not be done in `url-fetch/zipbomb'. It should be implemented as a
>> boolean argument to the `unpack' phase.
>
> I guess the Boolean argument would determine whether to do (chdir
> (first-subdirectory ".")), right?
>
> Unfortunately that’s not enough for the cases where an origin has
> patches or a snippet, because that code also assumes there’s only one
> subdirectory (see ‘patch-and-repack’ in (guix packages)).

Ah, I didn't think of that.

> Perhaps the right fix would be to fix ‘patch-and-repack’ somehow.

Unfortunately, I don't know what that fix would look like. :-( Perhaps
`patch-and-repack' should somehow autodetect whether the archive is a
bomb or not. Do you think that is a good solution? It sounds
overcomplicated to me.

Or, we can just let this matter rest as it is not too important.

[Prev in Thread]

Current Thread

[Next in Thread]

zipbomb handling should not be done in url-fetch/zipbomb, Arun Isaac, 2017/06/16
- Re: zipbomb handling should not be done in url-fetch/zipbomb, Ludovic Courtès, 2017/06/17
  - Re: zipbomb handling should not be done in url-fetch/zipbomb, Eric Bavier, 2017/06/18
  - Re: zipbomb handling should not be done in url-fetch/zipbomb, Arun Isaac <=
    - Re: zipbomb handling should not be done in url-fetch/zipbomb, Ludovic Courtès, 2017/06/21

Prev by Date: Re: guixsd in lxd container
Next by Date: Acl test investigation
Previous by thread: Re: zipbomb handling should not be done in url-fetch/zipbomb
Next by thread: Re: zipbomb handling should not be done in url-fetch/zipbomb
Index(es):
- Date
- Thread