admin/brew
1
0
Fork 0
Code Issues Packages Projects Releases 6 Wiki Activity

formulary: further deprecate URLs.

Browse Source 
Installation of formulae from URLs has many attack vectors and is
fundamentally insecure, unsupported, regularly recommended against and
generally a terrible idea. There's plenty of ways to take that URL,
manually verify it and put it somewhere that Homebrew does support so
let's deprecate this way of doing things.
This commit is contained in:
Mike McQuaid 2020-05-29 13:15:08 +01:00
parent 0b0bf60ad5
commit a35825ff23
No known key found for this signature in database
GPG Key ID: 48A898132FD8EE70
1 changed files with 10 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
Library/Homebrew/formulary.rb
View File

@ -9,6 +9,8 @@ require "extend/cachable"
module Formulary module Formulary
extend Cachable extend Cachable
URL_START_REGEX = %r{(https?|ftp|file)://}.freeze
def self.enable_factory_cache! def self.enable_factory_cache!
@factory_cache = true @factory_cache = true
end end
@ -141,7 +143,7 @@ module Formulary
class BottleLoader < FormulaLoader class BottleLoader < FormulaLoader
def initialize(bottle_name) def initialize(bottle_name)
case bottle_name case bottle_name
when %r{(https?|ftp|file)://} when URL_START_REGEX
# The name of the formula is found between the last slash and the last hyphen. # The name of the formula is found between the last slash and the last hyphen.
formula_name = File.basename(bottle_name)[/(.+)-/, 1] formula_name = File.basename(bottle_name)[/(.+)-/, 1]
resource = Resource.new(formula_name) { url bottle_name } resource = Resource.new(formula_name) { url bottle_name }
@ -205,8 +207,12 @@ module Formulary
def load_file def load_file
if url =~ %r{githubusercontent.com/[\w-]+/[\w-]+/[a-f0-9]{40}(/Formula)?/([\w+-.@]+).rb} if url =~ %r{githubusercontent.com/[\w-]+/[\w-]+/[a-f0-9]{40}(/Formula)?/([\w+-.@]+).rb}
formula_name = Regexp.last_match(2) formula_name = Regexp.last_match(2)
odeprecated "Installation of #{formula_name} from a commit URL", odeprecated "Installation of #{formula_name} from a GitHub commit URL",
"Use 'brew extract #{formula_name}' to stable tap." "'brew extract #{formula_name}' to stable tap on GitHub"
elsif url.match?(%r{^(https?|ftp)://})
odeprecated "Non-checksummed download of #{name} formula file from an arbitrary URL",
"'brew extract' or 'brew create' and 'brew tap-new' to create a "\
"formula file in a tap on GitHub"
end end
HOMEBREW_CACHE_FORMULA.mkpath HOMEBREW_CACHE_FORMULA.mkpath
FileUtils.rm_f(path) FileUtils.rm_f(path)
@ -413,7 +419,7 @@ module Formulary
case ref case ref
when Pathname::BOTTLE_EXTNAME_RX when Pathname::BOTTLE_EXTNAME_RX
return BottleLoader.new(ref) return BottleLoader.new(ref)
when %r{(https?|ftp|file)://} when URL_START_REGEX
return FromUrlLoader.new(ref) return FromUrlLoader.new(ref)
when HOMEBREW_TAP_FORMULA_REGEX when HOMEBREW_TAP_FORMULA_REGEX
return TapLoader.new(ref, from: from) return TapLoader.new(ref, from: from)