Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disallow @@ and @@u magic tokens in desktop files #4156

Merged
merged 3 commits into from Mar 10, 2021
Merged

Disallow @@ and @@u magic tokens in desktop files #4156

merged 3 commits into from Mar 10, 2021

Conversation

smcv
Copy link
Collaborator

@smcv smcv commented Mar 5, 2021
edited

  • Disallow @@ and @@u usage in desktop files

    From: @refi64

    Fixes CVE-2021-21381: Arbitrary file read/write without permissions via special token in .desktop file #4146.

  • dir: Reserve the whole @@ prefix

    If we add new features analogous to file forwarding later, we might
    find that we need a different magic token. Let's reserve the whole
    @@* namespace so we can call it @@something-else.

  • dir: Refuse to export .desktop files with suspicious uses of @@ tokens

    This is either a malicious/compromised app trying to do an attack, or
    a mistake that will break handling of %f, %u and so on. Either way,
    if we refuse to export the .desktop file, resulting in installation
    failing, then it makes the rejection more obvious than quietly
    removing the magic tokens.

This is a revised version of #4148, incorporating my suggestions. With this version, installing the app fails:

Error: Invalid Exec argument @@
error: Failed to install bundle com.example.Foo: Invalid Exec argument @@

cc @refi64 @matthiasclasen

refi64 and others added 3 commits March 2, 2021 13:20
@refi64
Disallow @@ and @@U usage in desktop files
cb6fce9 
Fixes flatpak#4146.
@smcv
dir: Reserve the whole @@ prefix
0bdcb88 
If we add new features analogous to file forwarding later, we might
find that we need a different magic token. Let's reserve the whole
@@* namespace so we can call it @@something-else.

Signed-off-by: Simon McVittie <smcv@collabora.com>
@smcv
dir: Refuse to export .desktop files with suspicious uses of @@ tokens
230f4c3 
This is either a malicious/compromised app trying to do an attack, or
a mistake that will break handling of %f, %u and so on. Either way,
if we refuse to export the .desktop file, resulting in installation
failing, then it makes the rejection more obvious than quietly
removing the magic tokens.

Signed-off-by: Simon McVittie <smcv@collabora.com>
@smcv smcv mentioned this pull request Mar 5, 2021
Closed
@alexlarsson alexlarsson merged commit 46b3ede into flatpak:master Mar 10, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

CVE-2021-21381: Arbitrary file read/write without permissions via special token in .desktop file
3 participants
@smcv @alexlarsson @refi64