install: Limit the exported file to a whitelist

Instead of exporting any files we add a whilelist of directories that get exported: share/applications share/icons share/dbus-1/services share/gnome-shell/search-providers share/mime/packages This avoids potentially installing some kind of file that the host system reads and interprets in a risky way. Applications and dbus services are safe because we rewrite them. Icons are safe as long as the image loaders are, and if they are not we have worse problems. Search providers and mime formats are somewhat problematic, and follow-up commits will rewrite these to be safer.
2017-05-11 15:28:19 +02:00 · 2017-05-11 15:28:19 +02:00 · e8369a69ef
parent 373d2155ec
commit e8369a69ef
1 changed files with 25 additions and 11 deletions
--- a/common/flatpak-dir.c
+++ b/common/flatpak-dir.c
@ -3701,21 +3701,35 @@ flatpak_export_dir (GFile        *source,
                    GCancellable *cancellable,
                    GError      **error)
 {
-  gboolean ret = FALSE;
+  const char *exported_subdirs[] = {
+    "share/applications",                  "../..",
+    "share/icons",                         "../..",
+    "share/dbus-1/services",               "../..",
+    "share/gnome-shell/search-providers",  "../../..",
+    "share/mime/packages",                 "../../..",
+  };
+  int i;

-  if (!flatpak_mkdir_p (destination, cancellable, error))
-    goto out;
+  for (i = 0; i < G_N_ELEMENTS(exported_subdirs); i = i + 2)
+    {
+      /* The fds are closed by this call */
+      g_autoptr(GFile) sub_source = g_file_resolve_relative_path (source, exported_subdirs[i]);
+      g_autoptr(GFile) sub_destination = g_file_resolve_relative_path (destination, exported_subdirs[i]);
+      g_autofree char *sub_symlink_prefix = g_build_filename (exported_subdirs[i+1], symlink_prefix, exported_subdirs[i], NULL);

-  /* The fds are closed by this call */
-  if (!export_dir (AT_FDCWD, flatpak_file_get_path_cached (source), symlink_prefix, "",
-                   AT_FDCWD, flatpak_file_get_path_cached (destination),
-                   cancellable, error))
-    goto out;
+      if (!g_file_query_exists (sub_source, cancellable))
+        continue;

-  ret = TRUE;
+      if (!flatpak_mkdir_p (sub_destination, cancellable, error))
+        return FALSE;

-out:
-  return ret;
+      if (!export_dir (AT_FDCWD, flatpak_file_get_path_cached (sub_source), sub_symlink_prefix, "",
+                       AT_FDCWD, flatpak_file_get_path_cached (sub_destination),
+                       cancellable, error))
+        return FALSE;
+    }
+
+  return TRUE;
 }

 gboolean