From 536c48e804407a99c9fe750ca31cd42c7c1fd55a Mon Sep 17 00:00:00 2001
From: Mike McQuaid <mike@mikemcquaid.com>
Date: Fri, 23 Sep 2016 08:26:49 +0100
Subject: [PATCH] sandbox: tweak HOMEBREW_REPOSITORY handling.

If we have a HOMEBREW_REPOSITORY and HOMEBREW_PREFIX mismatch (now the
default) then we can block access to the whole of HOMEBREW_REPOSITORY
rather than just the HOMEBREW_LIBRARY and `.git`.
---
 Library/Homebrew/cmd/postinstall.rb |  2 +-
 Library/Homebrew/sandbox.rb         | 10 +++++++---
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/Library/Homebrew/cmd/postinstall.rb b/Library/Homebrew/cmd/postinstall.rb
index 71b71b3f5a..e0bd8e31b1 100644
--- a/Library/Homebrew/cmd/postinstall.rb
+++ b/Library/Homebrew/cmd/postinstall.rb
@@ -36,7 +36,7 @@ module Homebrew
         sandbox.allow_write_cellar(formula)
         sandbox.allow_write_xcode
         sandbox.allow_write_path HOMEBREW_PREFIX
-        sandbox.deny_write_homebrew_library
+        sandbox.deny_write_homebrew_repository
         sandbox.exec(*args)
       else
         exec(*args)
diff --git a/Library/Homebrew/sandbox.rb b/Library/Homebrew/sandbox.rb
index a7fc99d4a2..4d0709cb4b 100644
--- a/Library/Homebrew/sandbox.rb
+++ b/Library/Homebrew/sandbox.rb
@@ -84,10 +84,14 @@ class Sandbox
     allow_write_path formula.logs
   end
 
-  def deny_write_homebrew_library
-    deny_write_path HOMEBREW_LIBRARY
-    deny_write_path HOMEBREW_REPOSITORY/".git"
+  def deny_write_homebrew_repository
     deny_write HOMEBREW_BREW_FILE
+    if HOMEBREW_PREFIX.to_s != HOMEBREW_REPOSITORY.to_s
+      deny_write_path HOMEBREW_REPOSITORY
+    else
+      deny_write_path HOMEBREW_LIBRARY
+      deny_write_path HOMEBREW_REPOSITORY/".git"
+    end
   end
 
   def exec(*args)