brl/gnome-shell
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

dbusServices/notifications: Disallow acting on "foreign" IDs

Browse Source 
The Notify() and CloseNotification() methods act on a notification,
identified by the passed ID. Just like it makes sense to only emit
notification signals to the original sender, those methods should
be restricted to the notification owner.

https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/5008

Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/2153>
This commit is contained in:
Florian Müllner 2022-02-03 02:34:37 +01:00 committed by Marge Bot
parent 0cbab09044
commit 35466b0e0a
1 changed files with 24 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
js/dbusServices/notifications/notificationDaemon.js
View File

@ -66,6 +66,22 @@ var NotificationDaemon = class extends ServiceImplementation {
}); });
} }
_checkNotificationId(invocation, id) {
if (id === 0)
return true;
if (!this._activeNotifications.has(id))
return true;
if (this._activeNotifications.get(id) === invocation.get_sender())
return true;
const error = new GLib.Error(Gio.DBusError,
Gio.DBusError.INVALID_ARGS, 'Invalid notification ID');
this._handleError(invocation, error);
return false;
}
register() { register() {
Gio.DBus.session.own_name( Gio.DBus.session.own_name(
'org.freedesktop.Notifications', 'org.freedesktop.Notifications',
@ -76,8 +92,12 @@ var NotificationDaemon = class extends ServiceImplementation {
async NotifyAsync(params, invocation) { async NotifyAsync(params, invocation) {
const sender = invocation.get_sender(); const sender = invocation.get_sender();
const pid = await this._getSenderPid(sender); const pid = await this._getSenderPid(sender);
const replaceId = params[1];
const hints = params[6]; const hints = params[6];
if (!this._checkNotificationId(invocation, replaceId))
return;
params[6] = { params[6] = {
...hints, ...hints,
'sender-pid': new GLib.Variant('u', pid), 'sender-pid': new GLib.Variant('u', pid),
@ -94,6 +114,10 @@ var NotificationDaemon = class extends ServiceImplementation {
} }
CloseNotificationAsync(params, invocation) { CloseNotificationAsync(params, invocation) {
const [id] = params;
if (!this._checkNotificationId(invocation, id))
return;
this._proxy.CloseNotificationRemote(...params, (res, error) => { this._proxy.CloseNotificationRemote(...params, (res, error) => {
if (this._handleError(invocation, error)) if (this._handleError(invocation, error))
return; return;