mirror of
https://github.com/NixOS/nix.git
synced 2025-11-10 20:46:01 +01:00
e5a211d77e
When searching up the filesystem for the root of the flake (the directory that contains the `flake.nix`), don’t go anywhere up if we encounter a directory owned by a different user, as otherwise this other user could craft an arbitrary flake, potentially causing bad stuff to happen (shouldn’t in most cases since all it could do is run sanboxed builds, but there’s probably a lot of edge-cases that would make this very undesirable). This is to fix Nix’s equivalent of CVE-2022-24765 This check is intentionnally not applied to the exact directory specified since: 1. It’s up to the user to not point to an untrusted input 2. In multi-user Nix installations, that would prevent from using a flake in the Nix store (since it’s owned by root and not the current user) Fix #6408 |
||
|---|---|---|
| .. | ||
| src | ||
| theme | ||
| anchors.jq | ||
| book.toml | ||
| custom.css | ||
| generate-builtins.nix | ||
| generate-manpage.nix | ||
| generate-xp-features-shortlist.nix | ||
| generate-xp-features.nix | ||
| local.mk | ||
| quote-literals.xsl | ||
| redirects.js | ||
| utils.nix | ||