global: Don't trust persistent/runtime state data

An Endless OS system was found in the wild with a malformed
.local/share/gnome-shell/notifications. When deserialized in Python,
after passing trusted=True to g_variant_new_from_bytes(), the first
element of the first struct in the array looks like this:

    In [41]: _38.get_child_value(0).get_child_value(0)
    Out[41]: GLib.Variant('s', '\Uffffffff\Uffffffff\Uffffffff\Uffffffff\Uffffffff')

When deserialised in GJS, we get:

    gjs> v.get_child_value(0).get_child_value(0)
    [object variant of type "s"]
    gjs> v.get_child_value(0).get_child_value(0).get_string()
    typein:43:1 malformed UTF-8 character sequence at offset 0
      @typein:43:1
      @<stdin>:1:34

While g_variant_new_from_bytes() doesn't have much to say about its
'trusted' parameter, g_variant_new_from_data() does:

> If data is trusted to be serialised data in normal form then trusted
> should be TRUE. This applies to serialised data created within this
> process or read from a trusted location on the disk (such as a file
> installed in /usr/lib alongside your application). You should set
> trusted to FALSE if data is read from the network, a file in the
> user's home directory, etc.

Persistent state is read from the user's home directory, so it should
not be trusted. With trusted=False, the string value above comes out as
"".

I don't have an explanation for how this file ended up being malformed.
I also don't have an explanation for when this started crashing: my
guess is that recent GJS became stricter about validating UTF-8 but I
could be wrong!

https://gitlab.gnome.org/GNOME/gnome-shell/issues/1552
This commit is contained in:
Will Thompson 2019-08-28 15:39:44 +01:00 committed by Florian Müllner
parent b73aace476
commit a207f67f73

View File

@ -1577,7 +1577,7 @@ load_variant (GFile *dir,
else else
{ {
GBytes *bytes = g_mapped_file_get_bytes (mfile); GBytes *bytes = g_mapped_file_get_bytes (mfile);
res = g_variant_new_from_bytes (G_VARIANT_TYPE (property_type), bytes, TRUE); res = g_variant_new_from_bytes (G_VARIANT_TYPE (property_type), bytes, FALSE);
g_bytes_unref (bytes); g_bytes_unref (bytes);
g_mapped_file_unref (mfile); g_mapped_file_unref (mfile);
} }