Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Backport 2.20-maintenance] #912 allow leading period #9891

Merged
merged 5 commits into from
Jan 31, 2024
Merged

[Backport 2.20-maintenance] #912 allow leading period #9891

merged 5 commits into from
Jan 31, 2024

Conversation

github-actions[bot]
Copy link

Automatic backport to 2.20-maintenance, triggered by a label in #9867.

@roberth @github-actions
Revert "StorePath: reject names starting with '.'"
0f4db25 
This reverts commit 24bda0c.

(cherry picked from commit 9ddd0f2)
@roberth @github-actions
parseStorePath: Support leading period
f36832c 
(cherry picked from commit b13e6a7)
@roberth @github-actions
test: Generate distinct path names
b35958b 
Gen::just is the constant generator. Don't just return that!
(cherry picked from commit 69bbd58)
@roberth @github-actions
test: Generate distinct hashes
60fb31a 
Gen::just is the constant generator. Don't just return that!
(cherry picked from commit 8406da2)
@roberth @github-actions
Disallow store path names that are . or .. (plus opt. -)
b5947b5 
As discussed in the maintainer meeting on 2024-01-29.

Mainly this is to avoid a situation where the name is parsed and
treated as a file name, mostly to protect users.
.-* and ..-* are also considered invalid because they might strip
on that separator to remove versions. Doesn't really work, but that's
what we decided, and I won't argue with it, because .-* probably
doesn't seem to have a real world application anyway.
We do still permit a 1-character name that's just "-", which still
poses a similar risk in such a situation. We can't start disallowing
trailing -, because a non-zero number of users will need it and we've
seen how annoying and painful such a change is.

What matters most is preventing a situation where . or .. can be
injected, and to just get this done.

(cherry picked from commit f1b4663)
@github-actions github-actions bot mentioned this pull request Jan 31, 2024
Merged
@roberth roberth closed this Jan 31, 2024
@roberth roberth reopened this Jan 31, 2024
@Ericson2314 Ericson2314 merged commit db82034 into 2.20-maintenance Jan 31, 2024
9 checks passed
@edolstra edolstra deleted the backport-9867-to-2.20-maintenance branch March 29, 2024 15:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thufschmitt thufschmitt Awaiting requested review from thufschmitt

@edolstra edolstra Awaiting requested review from edolstra edolstra is a code owner

Assignees
No one assigned
Labels
None yet
Projects
Nix team
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@roberth @Ericson2314