diff options
author | aszlig <aszlig@redmoonstudios.org> | 2017-04-19 08:55:48 +0200 |
---|---|---|
committer | aszlig <aszlig@redmoonstudios.org> | 2017-04-19 08:55:48 +0200 |
commit | 0c30def4952fb51ada4f5ebbe15f19b9846afc4a (patch) | |
tree | 1bc3f7acbf2ac668013da5d5be87311cbf42b331 /pkgs/santander/default.nix | |
parent | 180ba349bc9caa660ae411f2d8a58c91192af1e0 (diff) |
pkgs/santander: Whitelist webkitgtk2 for dwb
WebKitGTK+ has a bunch of security vulnerabilities: * WSA-2017-0002 * WSA-2017-0001 * WSA-2016-0006 * WSA-2016-0005 * WSA-2016-0004 We're using dwb in conjunction with this insecure version only for *one* specific application with *one* specific web site, so the attack surface is relatively low. The main issue with this is that the plugin required for the Santander page is based on NPAPI and most of the browsers out there do not support NPAPI, except a few ones: https://en.wikipedia.org/wiki/NPAPI#Browser_support I've tried to embed the plugin within Midori but I couldn't get it to work so far (Midori just says "No plugin available"), so I'm sticking with dwb for now, because the other browsers listed here either have the same problem (uzbl) or are simply too heavyweight. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Diffstat (limited to 'pkgs/santander/default.nix')
-rw-r--r-- | pkgs/santander/default.nix | 24 |
1 files changed, 15 insertions, 9 deletions
diff --git a/pkgs/santander/default.nix b/pkgs/santander/default.nix index 80263897..1821403c 100644 --- a/pkgs/santander/default.nix +++ b/pkgs/santander/default.nix @@ -1,6 +1,6 @@ { stdenv, fetchurl, fetchgit, fetchFromBitbucket , runCommand, writeScript, writeScriptBin, writeText -, xvfb_run, xdotool, coreutils, wineMinimal, pipelight, dwb, pcsclite +, xvfb_run, xdotool, coreutils, wineMinimal, pipelight, dwb-unwrapped, pcsclite }: let @@ -128,19 +128,25 @@ let "$out/lib/pipelight/libpipelight-santander.so" ''; - dwbWithPlugin = stdenv.lib.overrideDerivation dwb (wrapperDrv: { - plugins = [ "${finalPlugin}/lib/pipelight" ]; - }); + # Allow to use dwb for now until we have a better solution. + dwb = dwb-unwrapped.override { + inherit (import (import ../../nixpkgs-path.nix) { + inherit (stdenv) system; + config = { + permittedInsecurePackages = [ "webkitgtk-2.4.11" ]; + }; + }) webkitgtk2; + }; + + inherit (stdenv.lib) escapeShellArg; in writeScriptBin "santander" '' #!${stdenv.shell} if tmpdir="$("${coreutils}/bin/mktemp" -d)"; then trap "rm -rf '$tmpdir'" EXIT - export XDG_RUNTIME_DIR="$tmpdir" - export XDG_CONFIG_HOME="$tmpdir" - export XDG_DATA_HOME="$tmpdir" - export XDG_CACHE_HOME="$tmpdir" - "${dwbWithPlugin}/bin/dwb" -t https://karte.santanderbank.de/ + export HOME="$tmpdir" + export MOZ_PLUGIN_PATH=${escapeShellArg "${finalPlugin}/lib/pipelight"} + "${dwb}/bin/dwb" -t https://karte.santanderbank.de/ exit $? else echo "Unable to create temporary profile directory." >&2 |