[gnome-shell] global: Don't trust persistent/runtime state data

From: Florian Müllner <fmuellner src gnome org>
To: commits-list gnome org
Cc:
Subject: [gnome-shell] global: Don't trust persistent/runtime state data
Date: Tue, 3 Sep 2019 01:04:47 +0000 (UTC)

commit a207f67f73ea7790f9562b46843c5f83f72973de
Author: Will Thompson <wjt endlessm com>
Date:   Wed Aug 28 15:39:44 2019 +0100

    global: Don't trust persistent/runtime state data
    
    An Endless OS system was found in the wild with a malformed
    .local/share/gnome-shell/notifications. When deserialized in Python,
    after passing trusted=True to g_variant_new_from_bytes(), the first
    element of the first struct in the array looks like this:
    
        In [41]: _38.get_child_value(0).get_child_value(0)
        Out[41]: GLib.Variant('s', '\Uffffffff\Uffffffff\Uffffffff\Uffffffff\Uffffffff')
    
    When deserialised in GJS, we get:
    
        gjs> v.get_child_value(0).get_child_value(0)
        [object variant of type "s"]
        gjs> v.get_child_value(0).get_child_value(0).get_string()
        typein:43:1 malformed UTF-8 character sequence at offset 0
          @typein:43:1
          @<stdin>:1:34
    
    While g_variant_new_from_bytes() doesn't have much to say about its
    'trusted' parameter, g_variant_new_from_data() does:
    
    > If data is trusted to be serialised data in normal form then trusted
    > should be TRUE. This applies to serialised data created within this
    > process or read from a trusted location on the disk (such as a file
    > installed in /usr/lib alongside your application). You should set
    > trusted to FALSE if data is read from the network, a file in the
    > user's home directory, etc.
    
    Persistent state is read from the user's home directory, so it should
    not be trusted. With trusted=False, the string value above comes out as
    "".
    
    I don't have an explanation for how this file ended up being malformed.
    I also don't have an explanation for when this started crashing: my
    guess is that recent GJS became stricter about validating UTF-8 but I
    could be wrong!
    
    https://gitlab.gnome.org/GNOME/gnome-shell/issues/1552

 src/shell-global.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
---
diff --git a/src/shell-global.c b/src/shell-global.c
index 1556bf03d5..80f251272c 100644
--- a/src/shell-global.c
+++ b/src/shell-global.c
@@ -1577,7 +1577,7 @@ load_variant (GFile      *dir,
   else
     {
       GBytes *bytes = g_mapped_file_get_bytes (mfile);
-      res = g_variant_new_from_bytes (G_VARIANT_TYPE (property_type), bytes, TRUE);
+      res = g_variant_new_from_bytes (G_VARIANT_TYPE (property_type), bytes, FALSE);
       g_bytes_unref (bytes);
       g_mapped_file_unref (mfile);
     }

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]