sandbox: tweak HOMEBREW_REPOSITORY handling.

If we have a HOMEBREW_REPOSITORY and HOMEBREW_PREFIX mismatch (now the default) then we can block access to the whole of HOMEBREW_REPOSITORY rather than just the HOMEBREW_LIBRARY and `.git`.
2016-09-23 08:26:49 +01:00 · 2016-09-23 08:26:49 +01:00 · 536c48e804
commit 536c48e804
parent 5cf3838f42
2 changed files with 8 additions and 4 deletions
--- a/Library/Homebrew/cmd/postinstall.rb
+++ b/Library/Homebrew/cmd/postinstall.rb
@ -36,7 +36,7 @@ module Homebrew
        sandbox.allow_write_cellar(formula)
        sandbox.allow_write_xcode
        sandbox.allow_write_path HOMEBREW_PREFIX
-        sandbox.deny_write_homebrew_library
+        sandbox.deny_write_homebrew_repository
        sandbox.exec(*args)
      else
        exec(*args)
--- a/Library/Homebrew/sandbox.rb
+++ b/Library/Homebrew/sandbox.rb
@ -84,10 +84,14 @@ class Sandbox
    allow_write_path formula.logs
  end

-  def deny_write_homebrew_library
-    deny_write_path HOMEBREW_LIBRARY
-    deny_write_path HOMEBREW_REPOSITORY/".git"
+  def deny_write_homebrew_repository
    deny_write HOMEBREW_BREW_FILE
+    if HOMEBREW_PREFIX.to_s != HOMEBREW_REPOSITORY.to_s
+      deny_write_path HOMEBREW_REPOSITORY
+    else
+      deny_write_path HOMEBREW_LIBRARY
+      deny_write_path HOMEBREW_REPOSITORY/".git"
+    end
  end

  def exec(*args)