-
Notifications
You must be signed in to change notification settings - Fork 711
cabal install
with qualified component leads to curl
exception
#7815
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Comments
I can't repro on master. It compiles and installs fine. Your result is from 3.4.1? How about 3.6.2? |
With
Fails
because but
cabal-install-3.4 got functionality to install from URI: #6576 I don't think this can be exploited. Of course user can run I didn't want to hardcode known schemes for URL download, as |
It's not entirely clear what the right behaviour should be here, so downgrading priority. |
@phadej wrote:
I do think so. Say you are reviewing not a cabal developer but review a PR that changes (somewhere in a big PR)
into
with some comment that "the new, fully qualified package selector are used (more robust)". This guy has a malicious version of A tool like @Mikolaj wrote:
Well, the right behavior is:
The current code just tries parsing package component first and URI later, and does not care about the overlap: cabal/cabal-install/src/Distribution/Client/CmdInstall/ClientInstallTargetSelector.hs Lines 23 to 43 in cb2b639
@phadej wrote:
|
cabal install
with qualified component leads tocurl
exception:Correct error given in 3.2:
(I wonder whether this could be exploited: injecting code into the
curl
request. In any case, sanitization seems to be missing.)The text was updated successfully, but these errors were encountered: