download: Protect against dangling symlinks in $SSL_CERT_DIR.

Reported by Christopher Baines <mail@cbaines.net>
in <https://bugs.gnu.org/25213>.

* guix/build/download.scm (make-credendials-with-ca-trust-files): Check
whether FILE exists before calling
'set-certificate-credentials-x509-trust-file!'.

diff --git a/guix/build/download.scm b/guix/build/download.scm
index 8e32b3d..203338b 100644 (file)
--- a/guix/build/download.scm
+++ b/guix/build/download.scm
@@ -289,9 +289,12 @@ DIRECTORY.  Those authority certificates are checked when
                               (string-suffix? ".pem" file)))
                    '())))
     (for-each (lambda (file)
-                (set-certificate-credentials-x509-trust-file!
-                 cred (string-append directory "/" file)
-                 x509-certificate-format/pem))
+                (let ((file (string-append directory "/" file)))
+                  ;; Protect against dangling symlinks.
+                  (when (file-exists? file)
+                    (set-certificate-credentials-x509-trust-file!
+                     cred file
+                     x509-certificate-format/pem))))
               (or files '()))
     cred))