From 9bb330d82ab2bf60b5ec27b2b3e01d40d872243e Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Tue, 12 Dec 2017 14:05:04 +0000 Subject: dbus-daemon: Filter out unknown header fields Bug: https://bugs.freedesktop.org/show_bug.cgi?id=100317 Reviewed-by: Philip Withnall Signed-off-by: Simon McVittie --- doc/dbus-specification.xml | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) (limited to 'doc') diff --git a/doc/dbus-specification.xml b/doc/dbus-specification.xml index 386a63df..c58c97cc 100644 --- a/doc/dbus-specification.xml +++ b/doc/dbus-specification.xml @@ -1618,7 +1618,10 @@ mutually-distrustful client to another, such as the message bus, should remove header fields that the server does not recognise. However, a client must assume that the server has - not done so, unless it has evidence to the contrary. + not done so, unless it has evidence to the contrary, + such as having checked for the HeaderFiltering + message bus + feature. @@ -7029,6 +7032,26 @@ + + HeaderFiltering + + + This message bus guarantees that it will remove + header fields that it does not understand when it + relays messages, so that a client receiving a + recently-defined header field that is specified to be + controlled by the message bus can safely assume that + it was in fact set by the message bus. This check is + needed because older message bus implementations did + not guarantee to filter headers in this way, so a + malicious client could send any recently-defined + header field with a crafted value of its choice + through an older message bus that did not understand + that header field. + + + + SELinux -- cgit v1.2.1