diff options
author | Phaedrus Leeds <mwleeds@protonmail.com> | 2022-07-23 20:10:24 -0500 |
---|---|---|
committer | Phaedrus Leeds <mwleeds@protonmail.com> | 2022-08-22 19:05:09 -0700 |
commit | 3a05714e2bca3ade97152e050f88ec7f09e79c24 (patch) | |
tree | eddbddc1e13f372bca83027a34a3c2143309c57f | |
parent | dc82a19dc58d1fee25f45daeb5114338526ec8f7 (diff) | |
download | flatpak-mwleeds/GHSA-45jq-5658-v38x.tar.gz |
system-helper: Validate ref arg in RemoveLocalRef methodmwleeds/GHSA-45jq-5658-v38x
This patch could be important in case the ref arg was maliciously
crafted to try to convince flatpak-system-helper to delete an arbitrary
file on the filesystem. However, in practice (a) recent versions of
libostree will not accept such a ref name which has e.g. "../" in it
thanks to https://github.com/ostreedev/ostree/pull/1286, and (b) even on
ancient versions of Flatpak that use a version of libostree without the
aforementioned patch, the exploit does not appear to be successful, at
least on Debian 9.
See https://github.com/flatpak/flatpak/security/advisories/GHSA-45jq-5658-v38x
-rw-r--r-- | system-helper/flatpak-system-helper.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/system-helper/flatpak-system-helper.c b/system-helper/flatpak-system-helper.c index 03410e84..a077cc62 100644 --- a/system-helper/flatpak-system-helper.c +++ b/system-helper/flatpak-system-helper.c @@ -1275,6 +1275,7 @@ handle_remove_local_ref (FlatpakSystemHelper *object, { g_autoptr(FlatpakDir) system = NULL; g_autoptr(GError) error = NULL; + g_autoptr(FlatpakDecomposed) ref = NULL; g_debug ("RemoveLocalRef %u %s %s %s", arg_flags, arg_remote, arg_ref, arg_installation); @@ -1299,6 +1300,13 @@ handle_remove_local_ref (FlatpakSystemHelper *object, return G_DBUS_METHOD_INVOCATION_HANDLED; } + ref = flatpak_decomposed_new_from_ref (arg_ref, &error); + if (ref == NULL) + { + g_dbus_method_invocation_return_gerror (invocation, error); + return G_DBUS_METHOD_INVOCATION_HANDLED; + } + if (!flatpak_dir_ensure_repo (system, NULL, &error)) { g_dbus_method_invocation_return_gerror (invocation, error); |