mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-11-17 23:36:17 +01:00
fetchurl: only allow empty hash when cacert is available
We can use cacert to validate that the data passes SSL certificates. Normally, this doesn’t happen because we already have the hash, but in the hash = "" case we don’t.
This commit is contained in:
parent
a528cc1bca
commit
0046802ab6
3 changed files with 17 additions and 3 deletions
|
@ -15,8 +15,14 @@ curl=(
|
||||||
--retry 3
|
--retry 3
|
||||||
--disable-epsv
|
--disable-epsv
|
||||||
--cookie-jar cookies
|
--cookie-jar cookies
|
||||||
--insecure
|
|
||||||
--user-agent "curl/$curlVersion Nixpkgs/$nixpkgsVersion"
|
--user-agent "curl/$curlVersion Nixpkgs/$nixpkgsVersion"
|
||||||
|
)
|
||||||
|
|
||||||
|
if ! [ -f "$SSL_CERT_FILE" ]; then
|
||||||
|
curl+=(--insecure)
|
||||||
|
fi
|
||||||
|
|
||||||
|
curl+=(
|
||||||
$curlOpts
|
$curlOpts
|
||||||
$NIX_CURL_FLAGS
|
$NIX_CURL_FLAGS
|
||||||
)
|
)
|
||||||
|
|
|
@ -1,4 +1,6 @@
|
||||||
{ lib, buildPackages ? { inherit stdenvNoCC; }, stdenvNoCC, curl }: # Note that `curl' may be `null', in case of the native stdenvNoCC.
|
{ lib, buildPackages ? { inherit stdenvNoCC; }, stdenvNoCC
|
||||||
|
, curl # Note that `curl' may be `null', in case of the native stdenvNoCC.
|
||||||
|
, cacert ? null }:
|
||||||
|
|
||||||
let
|
let
|
||||||
|
|
||||||
|
@ -112,7 +114,8 @@ let
|
||||||
else if sha512 != "" then { outputHashAlgo = "sha512"; outputHash = sha512; }
|
else if sha512 != "" then { outputHashAlgo = "sha512"; outputHash = sha512; }
|
||||||
else if sha256 != "" then { outputHashAlgo = "sha256"; outputHash = sha256; }
|
else if sha256 != "" then { outputHashAlgo = "sha256"; outputHash = sha256; }
|
||||||
else if sha1 != "" then { outputHashAlgo = "sha1"; outputHash = sha1; }
|
else if sha1 != "" then { outputHashAlgo = "sha1"; outputHash = sha1; }
|
||||||
else { outputHashAlgo = "sha256"; outputHash = ""; };
|
else if cacert != null then { outputHashAlgo = "sha256"; outputHash = ""; }
|
||||||
|
else throw "fetchurl requires a hash for fixed-output derivation: ${lib.concatStringsSep ", " urls_}";
|
||||||
in
|
in
|
||||||
|
|
||||||
stdenvNoCC.mkDerivation {
|
stdenvNoCC.mkDerivation {
|
||||||
|
@ -134,6 +137,10 @@ stdenvNoCC.mkDerivation {
|
||||||
# New-style output content requirements.
|
# New-style output content requirements.
|
||||||
inherit (hash_) outputHashAlgo outputHash;
|
inherit (hash_) outputHashAlgo outputHash;
|
||||||
|
|
||||||
|
SSL_CERT_FILE = if hash_.outputHash == ""
|
||||||
|
then "${cacert}/etc/ssl/certs/ca-bundle.crt"
|
||||||
|
else "/no-cert-file.crt";
|
||||||
|
|
||||||
outputHashMode = if (recursiveHash || executable) then "recursive" else "flat";
|
outputHashMode = if (recursiveHash || executable) then "recursive" else "flat";
|
||||||
|
|
||||||
inherit curlOpts showURLs mirrorsFile postFetch downloadToTemp executable;
|
inherit curlOpts showURLs mirrorsFile postFetch downloadToTemp executable;
|
||||||
|
|
|
@ -331,6 +331,7 @@ in
|
||||||
then buildPackages.fetchurl # No need to do special overrides twice,
|
then buildPackages.fetchurl # No need to do special overrides twice,
|
||||||
else makeOverridable (import ../build-support/fetchurl) {
|
else makeOverridable (import ../build-support/fetchurl) {
|
||||||
inherit lib stdenvNoCC buildPackages;
|
inherit lib stdenvNoCC buildPackages;
|
||||||
|
inherit cacert;
|
||||||
curl = buildPackages.curl.override (old: rec {
|
curl = buildPackages.curl.override (old: rec {
|
||||||
# break dependency cycles
|
# break dependency cycles
|
||||||
fetchurl = stdenv.fetchurlBoot;
|
fetchurl = stdenv.fetchurlBoot;
|
||||||
|
|
Loading…
Reference in a new issue