gitback/el-get
1
0
Fork 0
mirror of https://github.com/dimitri/el-get.git synced 2024-09-29 04:58:53 +08:00
Code Issues Packages Projects Releases Wiki Activity

Don't install insecurely without el-get-allow-insecure.

Browse Source 
In most cases, we assume any connection is insecure unless the URL
starts with "https://", "$USERNAME@", or "ssh". There are a few
exceptions: I'm assuming all Emacswiki packages are insecure, and I
don't think we can know whether packages installed via Google Go are
secure or not.
This commit is contained in:
Phil Hagelberg 2014-08-12 11:42:08 -07:00
parent f5a29eb0da
commit acdcb6e5b2
No known key found for this signature in database
GPG Key ID: 92893DA43FC33005
15 changed files with 43 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
el-get-custom.el
View File

@ -613,4 +613,9 @@ platforms where this recipe should apply"
)
,el-get-build-recipe-body))))))
(defcustom el-get-allow-insecure nil
"Allow packages to be installed over insecure connections."
:group 'el-get
:type 'boolean)
(provide 'el-get-custom)

9
el-get-methods.el
View File

@ -21,6 +21,15 @@
"methods"
(file-name-directory (or load-file-name buffer-file-name))))
(defun el-get-insecure-check (package url)
(when (and (not el-get-allow-insecure)
(not (string-match "^https://" url))
(not (string-match "^[-_\.A-Za-z0-9]+@" url))
(not (string-match "^ssh" url)))
(error (concat "Attempting to clone insecure package "
(el-get-as-string package)
" without `el-get-allow-insecure'."))))
(require 'el-get-apt-get)
(require 'el-get-builtin)
(require 'el-get-brew)

3
methods/el-get-bzr.el
View File

@ -26,6 +26,8 @@
(name (format "*bzr branch %s*" package))
(ok (format "Package %s installed" package))
(ko (format "Could not install package %s." package)))
(el-get-insecure-check package url)
(el-get-start-process-list
package
`((:command-name ,name
@ -44,6 +46,7 @@
(name (format "*bzr pull %s*" package))
(ok (format "Pulled package %s." package))
(ko (format "Could not update package %s." package)))
(el-get-insecure-check package url)
(el-get-start-process-list
package

2
methods/el-get-cvs.el
View File

@ -97,6 +97,7 @@ Enable this if you want el-get to honor these settings"
(ok (format "Checked out package %s." package))
(ko (format "Could not checkout package %s." package)))
(el-get-insecure-check package url)
;; (message "%S" `(:args ("-d" ,url "checkout" "-d" ,package ,module)))
;; (message "el-get-cvs-checkout: %S" (string= options "login"))
@ -130,6 +131,7 @@ Enable this if you want el-get to honor these settings"
(ok (format "Updated package %s." package))
(ko (format "Could not update package %s." package)))
(el-get-insecure-check package url)
(el-get-start-process-list
package
`((:command-name ,name

3
methods/el-get-darcs.el
View File

@ -27,6 +27,8 @@
(name (format "*darcs get %s*" package))
(ok (format "Package %s installed" package))
(ko (format "Could not install package %s." package)))
(el-get-insecure-check package url)
(el-get-start-process-list
package
`((:command-name ,name
@ -45,6 +47,7 @@
(name (format "*darcs pull %s*" package))
(ok (format "Pulled package %s." package))
(ko (format "Could not update package %s." package)))
(el-get-insecure-check package url)
(el-get-start-process-list
package

2
methods/el-get-elpa.el
View File

@ -139,6 +139,7 @@ the recipe, then return nil."
;; Prepend elpa-repo to `package-archives' for new package.el
(package-archives (append (when elpa-repo (list elpa-repo))
(when (boundp 'package-archives) package-archives))))
(el-get-insecure-check package url)
(unless (and elpa-dir (file-directory-p elpa-dir))
;; package-install does these only for interactive calls
@ -190,6 +191,7 @@ first time.")
"Ask elpa to update given PACKAGE."
(unless package--initialized
(package-initialize t))
(el-get-insecure-check package url)
(when el-get-elpa-do-refresh
(package-refresh-contents)
(when (eq el-get-elpa-do-refresh 'once)

1
methods/el-get-emacswiki.el
View File

@ -41,6 +41,7 @@ filename.el ;;; filename.el --- description"
(defun el-get-emacswiki-install (package url post-install-fun)
"Download a single-file PACKAGE over HTTP from emacswiki."
(let ((url (or url (format "%s%s.el" el-get-emacswiki-base-url package))))
(el-get-insecure-check package "http://insecure") ; insecure even over HTTPS
(el-get-http-install package url post-install-fun)))
(defun el-get-emacswiki-compute-checksum (package)

5
methods/el-get-fossil.el
View File

@ -57,6 +57,8 @@ are stored in the package directory"
(open-args (list "open" "--nested" (expand-file-name fossil-name fossil-dir) checkout))
(ok (format "Package %s installed." package))
(ko (format "Could not install package %s." package)))
(el-get-insecure-check package url)
(el-get-start-process-list
package
(list
@ -101,7 +103,8 @@ are stored in the package directory"
(update-args (list "update" checkout))
(ok (format "Updated package %s." package))
(ko (format "Could not update package %s." package)))
(message "%s" update-args)
(el-get-insecure-check package url)
(el-get-start-process-list
package
`((:command-name ,name

3
methods/el-get-git-svn.el
View File

@ -30,6 +30,8 @@
(plist-get source :checksum)))
(ok (format "Package %s installed." package))
(ko (format "Could not install package %s." package)))
;; TODO: not sure if it's possible for svn:// URLs to use TLS?
(el-get-insecure-check package url)
(el-get-start-process-list
package
@ -61,6 +63,7 @@
(r-name (format "*git svn rebase %s*" package))
(r-ok (format "Rebased package %s." package))
(r-ko (format "Could not rebase package %s." package)))
(el-get-insecure-check package url)
(el-get-start-process-list
package

4
methods/el-get-git.el
View File

@ -72,6 +72,8 @@ found."
(list url pname)))
(ok (format "Package %s installed." package))
(ko (format "Could not install package %s." package)))
(el-get-insecure-check package url)
(el-get-start-process-list
package
(list
@ -117,6 +119,8 @@ found."
(pull-args (list "--no-pager" (if checkout "fetch" "pull")))
(ok (format "Pulled package %s." package))
(ko (format "Could not update package %s." package)))
(el-get-insecure-check package url)
(el-get-start-process-list
package
`((:command-name ,name

1
methods/el-get-github.el
View File

@ -80,6 +80,7 @@ USERNAME and REPONAME are strings."
(defun el-get-github-clone (package url post-install-fun)
"Clone the given package from Github following the URL."
(el-get-insecure-check package url)
(el-get-git-clone package
(or url (el-get-github-url package))
post-install-fun))

1
methods/el-get-go.el
View File

@ -31,6 +31,7 @@
(name (format "*go get %s*" package))
(ok (format "Package %s installed." package))
(ko (format "Could not install package %s." package)))
;; TODO: no idea how to check this for insecure connections
(unless (file-directory-p pdir)
(make-directory pdir))
(setenv "GOPATH" pdir)

2
methods/el-get-hg.el
View File

@ -35,6 +35,7 @@
(list url pname)))
(ok (format "Package %s installed." package))
(ko (format "Could not install package %s." package)))
(el-get-insecure-check package url)
(el-get-start-process-list
package
@ -59,6 +60,7 @@
(plist-get source :checksum)))
(ok (format "Pulled package %s." package))
(ko (format "Could not update package %s." package)))
(el-get-insecure-check package url)
(el-get-start-process-list
package

1
methods/el-get-http.el
View File

@ -68,6 +68,7 @@ into the package :localname option or its `file-name-nondirectory' part."
(dest (or dest (el-get-http-dest-filename package url))))
(unless (file-directory-p pdir)
(make-directory pdir))
(el-get-insecure-check package url)
(if (not el-get-default-process-sync)
(url-retrieve url 'el-get-http-retrieve-callback

2
methods/el-get-svn.el
View File

@ -36,6 +36,7 @@
(name (format "*svn checkout %s*" package))
(ok (format "Checked out package %s." package))
(ko (format "Could not checkout package %s." package)))
(el-get-insecure-check package url)
(el-get-start-process-list
package
@ -55,6 +56,7 @@
(name (format "*svn update %s*" package))
(ok (format "Updated package %s." package))
(ko (format "Could not update package %s." package)))
(el-get-insecure-check package url)
(el-get-start-process-list
package