download: Use ungrafted tools in 'url-fetch/tarbomb' and 'url-fetch/zipbomb'.

Fixes <https://bugs.gnu.org/31085>. Reported by Diego Nicola Barbato <dnbarbato@posteo.de>. * guix/download.scm (url-fetch/tarbomb): Pass #:graft? #f to 'gexp->derivation'. (url-fetch/zipbomb): Likewise.
2018-04-23 14:33:11 +02:00 · 2018-04-23 14:33:11 +02:00 · 5e5d6613a3
commit 5e5d6613a3
parent de7f03ce0a
1 changed files with 7 additions and 1 deletions
--- a/guix/download.scm
+++ b/guix/download.scm
@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017, 2018 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2013, 2014, 2015 Andreas Enge <andreas@enge.fr>
 ;;; Copyright © 2015 Federico Beffa <beffa@fbengineering.ch>
 ;;; Copyright © 2016 Alex Griffin <a@ajgrf.com>
@ -509,6 +509,8 @@ own.  This helper makes it easier to deal with \"tar bombs\"."
                                      #:system system
                                      #:guile guile)))
    ;; Take the tar bomb, and simply unpack it as a directory.
+    ;; Use ungrafted tar/gzip so that the resulting tarball doesn't depend on
+    ;; whether grafts are enabled.
    (gexp->derivation (or name file-name)
                      #~(begin
                          (mkdir #$output)
@ -516,6 +518,7 @@ own.  This helper makes it easier to deal with \"tar bombs\"."
                          (chdir #$output)
                          (zero? (system* (string-append #$tar "/bin/tar")
                                          "xf" #$drv)))
+                      #:graft? #f
                      #:local-build? #t)))

 (define* (url-fetch/zipbomb url hash-algo hash
@ -539,12 +542,15 @@ own.  This helper makes it easier to deal with \"zip bombs\"."
                                      #:system system
                                      #:guile guile)))
    ;; Take the zip bomb, and simply unpack it as a directory.
+    ;; Use ungrafted unzip so that the resulting tarball doesn't depend on
+    ;; whether grafts are enabled.
    (gexp->derivation (or name file-name)
                      #~(begin
                          (mkdir #$output)
                          (chdir #$output)
                          (zero? (system* (string-append #$unzip "/bin/unzip")
                                          #$drv)))
+                      #:graft? #f
                      #:local-build? #t)))

 (define* (download-to-store store url #:optional (name (basename url))