Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restrict direct url installs to the file:// scheme #17697

Merged
merged 1 commit into from
Jul 13, 2024
Merged

Restrict direct url installs to the file:// scheme #17697

merged 1 commit into from
Jul 13, 2024

Conversation

Rylan12
Copy link
Member

@Rylan12 Rylan12 commented Jul 13, 2024
edited
Loading

  • Have you followed the guidelines in our Contributing document?
  • Have you checked to ensure there aren't other open Pull Requests for the same change?
  • Have you added an explanation of what your changes do and why you'd like us to include them?
  • Have you written new tests for your changes? Here's an example.
  • Have you successfully run brew style with your changes locally?
  • Have you successfully run brew typecheck with your changes locally?
  • Have you successfully run brew tests with your changes locally?

We already don't allow installing or loading formulae directly from a URL (e.g. brew install https://example.com/foo.tar.gz), so this PR extends that to casks and also strengthens the check to ensure that the file:// URL scheme is the only one allowed by FromURILoader.

Additionally, this PR does not allow loading formulae directly form a bottle URL (except for a file:// URL).

I've opted to still have this return an error message like is currently done, but we also could put a deprecation there and eventually just have Formulary.loader_for("https://...") go right to NullLoader.

@Rylan12
Copy link
Member Author

Rylan12 commented Jul 13, 2024

Actually, it looks like #17695 removes the URI stuff from FromBottleLoader anyway which removes the need for some of this. If that gets merged first, I'll rebase here.

@MikeMcQuaid
Copy link
Member

Actually, it looks like #17695 removes the URI stuff from FromBottleLoader anyway which removes the need for some of this. If that gets merged first, I'll rebase here.

Just merged it, thanks @Rylan12!

MikeMcQuaid
MikeMcQuaid approved these changes Jul 13, 2024
View reviewed changes
Library/Homebrew/cask/cask_loader.rb Outdated Show resolved Hide resolved
woodruffw
woodruffw approved these changes Jul 13, 2024
View reviewed changes
Copy link
Member

@woodruffw woodruffw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Needs deconflict but LGTM, thanks @Rylan12!

@MikeMcQuaid MikeMcQuaid merged commit f45eefd into master Jul 13, 2024
37 checks passed
@MikeMcQuaid MikeMcQuaid deleted the restrict-install-from-url branch July 13, 2024 17:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@woodruffw woodruffw woodruffw approved these changes

@MikeMcQuaid MikeMcQuaid MikeMcQuaid approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Rylan12 @MikeMcQuaid @woodruffw