dbus-daemon: Filter out unknown header fields

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=100317 Reviewed-by: Philip Withnall <withnall@endlessm.com> Signed-off-by: Simon McVittie <smcv@collabora.com>
author: Simon McVittie <smcv@collabora.com> 2017-12-12 14:05:04 +0000
committer: Simon McVittie <smcv@collabora.com> 2018-01-11 18:35:20 +0000
commit: 9bb330d82ab2bf60b5ec27b2b3e01d40d872243e (patch)
tree: 6619ecc7049284c556a8b6d835f311524e0ae056 /doc
parent: 138f51f94afc385fb902f00c808a682e43198dad (diff)
download: dbus-9bb330d82ab2bf60b5ec27b2b3e01d40d872243e.tar.gz
1 files changed, 24 insertions, 1 deletions
diff --git a/doc/dbus-specification.xml b/doc/dbus-specification.xml
index 386a63df..c58c97cc 100644
--- a/doc/dbus-specification.xml
+++ b/doc/dbus-specification.xml
@@ -1618,7 +1618,10 @@
           mutually-distrustful client to another, such as the message
           bus, should remove header fields that the server does not
           recognise. However, a client must assume that the server has
-          not done so, unless it has evidence to the contrary.
+          not done so, unless it has evidence to the contrary,
+          such as having checked for the <literal>HeaderFiltering</literal>
+          <link linkend="message-bus-properties-features">message bus
+            feature</link>.
         </para>
 
         <para>
@@ -7030,6 +7033,26 @@
             </varlistentry>
 
             <varlistentry>
+              <term><literal>HeaderFiltering</literal></term>
+              <listitem>
+                <para>
+                  This message bus guarantees that it will remove
+                  header fields that it does not understand when it
+                  relays messages, so that a client receiving a
+                  recently-defined header field that is specified to be
+                  controlled by the message bus can safely assume that
+                  it was in fact set by the message bus. This check is
+                  needed because older message bus implementations did
+                  not guarantee to filter headers in this way, so a
+                  malicious client could send any recently-defined
+                  header field with a crafted value of its choice
+                  through an older message bus that did not understand
+                  that header field.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
               <term><literal>SELinux</literal></term>
               <listitem>
                 <para>
author	Simon McVittie <smcv@collabora.com>	2017-12-12 14:05:04 +0000
committer	Simon McVittie <smcv@collabora.com>	2018-01-11 18:35:20 +0000
commit	9bb330d82ab2bf60b5ec27b2b3e01d40d872243e (patch)
tree	6619ecc7049284c556a8b6d835f311524e0ae056 /doc
parent	138f51f94afc385fb902f00c808a682e43198dad (diff)
download	dbus-9bb330d82ab2bf60b5ec27b2b3e01d40d872243e.tar.gz