brl/gnome-shell
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

screenshot: Restrict callers

Browse Source 
The shell D-Bus API was always meant as a private API for core
components, so enforce that by limiting caller to a list of
allowed well-known names.

Applications that want to request a screenshot can use the corresponding
desktop portal.

https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/3943

Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1970>
This commit is contained in:
Florian Müllner 2021-06-16 22:11:50 +02:00 committed by Marge Bot
parent a628bbc485
commit dd2cd6286c
1 changed files with 28 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
js/ui/screenshot.js
View File

@ -15,6 +15,7 @@ Gio._promisify(Shell.Screenshot.prototype,
'screenshot_area', 'screenshot_area_finish'); 'screenshot_area', 'screenshot_area_finish');
const { loadInterfaceXML } = imports.misc.fileUtils; const { loadInterfaceXML } = imports.misc.fileUtils;
const { DBusSenderChecker } = imports.misc.util;
const ScreenshotIface = loadInterfaceXML('org.gnome.Shell.Screenshot'); const ScreenshotIface = loadInterfaceXML('org.gnome.Shell.Screenshot');
@ -24,6 +25,12 @@ var ScreenshotService = class {
this._dbusImpl.export(Gio.DBus.session, '/org/gnome/Shell/Screenshot'); this._dbusImpl.export(Gio.DBus.session, '/org/gnome/Shell/Screenshot');
this._screenShooter = new Map(); this._screenShooter = new Map();
this._senderChecker = new DBusSenderChecker([
'org.gnome.SettingsDaemon.MediaKeys',
'org.freedesktop.impl.portal.desktop.gtk',
'org.freedesktop.impl.portal.desktop.gnome',
'org.gnome.Screenshot',
]);
this._lockdownSettings = new Gio.Settings({ schema_id: 'org.gnome.desktop.lockdown' }); this._lockdownSettings = new Gio.Settings({ schema_id: 'org.gnome.desktop.lockdown' });
@ -46,6 +53,13 @@ var ScreenshotService = class {
Gio.IOErrorEnum, Gio.IOErrorEnum.PERMISSION_DENIED, Gio.IOErrorEnum, Gio.IOErrorEnum.PERMISSION_DENIED,
'Saving to disk is disabled'); 'Saving to disk is disabled');
return null; return null;
} else {
try {
this._senderChecker.checkInvocation(invocation);
} catch (e) {
invocation.return_gerror(e);
return null;
}
} }
let shooter = new Shell.Screenshot(); let shooter = new Shell.Screenshot();
@ -254,6 +268,13 @@ var ScreenshotService = class {
} }
async SelectAreaAsync(params, invocation) { async SelectAreaAsync(params, invocation) {
try {
this._senderChecker.checkInvocation(invocation);
} catch (e) {
invocation.return_gerror(e);
return;
}
let selectArea = new SelectArea(); let selectArea = new SelectArea();
try { try {
let areaRectangle = await selectArea.selectAsync(); let areaRectangle = await selectArea.selectAsync();
@ -269,6 +290,13 @@ var ScreenshotService = class {
} }
FlashAreaAsync(params, invocation) { FlashAreaAsync(params, invocation) {
try {
this._senderChecker.checkInvocation(invocation);
} catch (e) {
invocation.return_gerror(e);
return;
}
let [x, y, width, height] = params; let [x, y, width, height] = params;
[x, y, width, height] = this._scaleArea(x, y, width, height); [x, y, width, height] = this._scaleArea(x, y, width, height);
if (!this._checkArea(x, y, width, height)) { if (!this._checkArea(x, y, width, height)) {