GNOME.org
 

[gnome-shell/gnome-40] dbusServices/notifications: Disallow acting on "foreign" IDs

commit 0096ab5af844642f917d62dd0f8b6d4c30c904de
Author: Florian Müllner <fmuellner gnome org>
Date:   Thu Feb 3 02:34:37 2022 +0100

    dbusServices/notifications: Disallow acting on "foreign" IDs
    
    The Notify() and CloseNotification() methods act on a notification,
    identified by the passed ID. Just like it makes sense to only emit
    notification signals to the original sender, those methods should
    be restricted to the notification owner.
    
    https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/5008
    
    (cherry picked from commit 35466b0e0a31c2a26ed257c5b45647f6758b5c95)
    
    Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/2181>

 .../notifications/notificationDaemon.js            | 24 ++++++++++++++++++++++
 1 file changed, 24 insertions(+)
---
diff --git a/js/dbusServices/notifications/notificationDaemon.js 
b/js/dbusServices/notifications/notificationDaemon.js
index 6fb215053d..139075256e 100644
--- a/js/dbusServices/notifications/notificationDaemon.js
+++ b/js/dbusServices/notifications/notificationDaemon.js
@@ -66,6 +66,22 @@ var NotificationDaemon = class extends ServiceImplementation {
         });
     }
 
+    _checkNotificationId(invocation, id) {
+        if (id === 0)
+            return true;
+
+        if (!this._activeNotifications.has(id))
+            return true;
+
+        if (this._activeNotifications.get(id) === invocation.get_sender())
+            return true;
+
+        const error = new GLib.Error(Gio.DBusError,
+            Gio.DBusError.INVALID_ARGS, 'Invalid notification ID');
+        this._handleError(invocation, error);
+        return false;
+    }
+
     register() {
         Gio.DBus.session.own_name(
             'org.freedesktop.Notifications',
@@ -76,8 +92,12 @@ var NotificationDaemon = class extends ServiceImplementation {
     async NotifyAsync(params, invocation) {
         const sender = invocation.get_sender();
         const pid = await this._getSenderPid(sender);
+        const replaceId = params[1];
         const hints = params[6];
 
+        if (!this._checkNotificationId(invocation, replaceId))
+            return;
+
         params[6] = {
             ...hints,
             'sender-pid': new GLib.Variant('u', pid),
@@ -94,6 +114,10 @@ var NotificationDaemon = class extends ServiceImplementation {
     }
 
     CloseNotificationAsync(params, invocation) {
+        const [id] = params;
+        if (!this._checkNotificationId(invocation, id))
+            return;
+
         this._proxy.CloseNotificationRemote(...params, (res, error) => {
             if (this._handleError(invocation, error))
                 return;
[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]