From 0c30def4952fb51ada4f5ebbe15f19b9846afc4a Mon Sep 17 00:00:00 2001 From: aszlig Date: Wed, 19 Apr 2017 08:55:48 +0200 Subject: pkgs/santander: Whitelist webkitgtk2 for dwb WebKitGTK+ has a bunch of security vulnerabilities: * WSA-2017-0002 * WSA-2017-0001 * WSA-2016-0006 * WSA-2016-0005 * WSA-2016-0004 We're using dwb in conjunction with this insecure version only for *one* specific application with *one* specific web site, so the attack surface is relatively low. The main issue with this is that the plugin required for the Santander page is based on NPAPI and most of the browsers out there do not support NPAPI, except a few ones: https://en.wikipedia.org/wiki/NPAPI#Browser_support I've tried to embed the plugin within Midori but I couldn't get it to work so far (Midori just says "No plugin available"), so I'm sticking with dwb for now, because the other browsers listed here either have the same problem (uzbl) or are simply too heavyweight. Signed-off-by: aszlig --- pkgs/santander/default.nix | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) (limited to 'pkgs/santander') diff --git a/pkgs/santander/default.nix b/pkgs/santander/default.nix index 80263897..1821403c 100644 --- a/pkgs/santander/default.nix +++ b/pkgs/santander/default.nix @@ -1,6 +1,6 @@ { stdenv, fetchurl, fetchgit, fetchFromBitbucket , runCommand, writeScript, writeScriptBin, writeText -, xvfb_run, xdotool, coreutils, wineMinimal, pipelight, dwb, pcsclite +, xvfb_run, xdotool, coreutils, wineMinimal, pipelight, dwb-unwrapped, pcsclite }: let @@ -128,19 +128,25 @@ let "$out/lib/pipelight/libpipelight-santander.so" ''; - dwbWithPlugin = stdenv.lib.overrideDerivation dwb (wrapperDrv: { - plugins = [ "${finalPlugin}/lib/pipelight" ]; - }); + # Allow to use dwb for now until we have a better solution. + dwb = dwb-unwrapped.override { + inherit (import (import ../../nixpkgs-path.nix) { + inherit (stdenv) system; + config = { + permittedInsecurePackages = [ "webkitgtk-2.4.11" ]; + }; + }) webkitgtk2; + }; + + inherit (stdenv.lib) escapeShellArg; in writeScriptBin "santander" '' #!${stdenv.shell} if tmpdir="$("${coreutils}/bin/mktemp" -d)"; then trap "rm -rf '$tmpdir'" EXIT - export XDG_RUNTIME_DIR="$tmpdir" - export XDG_CONFIG_HOME="$tmpdir" - export XDG_DATA_HOME="$tmpdir" - export XDG_CACHE_HOME="$tmpdir" - "${dwbWithPlugin}/bin/dwb" -t https://karte.santanderbank.de/ + export HOME="$tmpdir" + export MOZ_PLUGIN_PATH=${escapeShellArg "${finalPlugin}/lib/pipelight"} + "${dwb}/bin/dwb" -t https://karte.santanderbank.de/ exit $? else echo "Unable to create temporary profile directory." >&2 -- cgit 1.4.1