luc14n0/glib
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/glib.git synced 2025-07-22 01:47:52 +02:00
Code Issues Packages Projects Releases Wiki Activity

giomodule: Ignore GIO_MODULE_DIR when running as setuid

Browse Source 
Even if the modules in the given directory never get chosen to be used,
loading arbitrary code from a user-provided directory is not safe when
running as setuid, as the process’ environment comes from an untrusted
source.

Also ignore `GIO_EXTRA_MODULES`.

Spotted by Simon McVittie.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>

Fixes: #2168
This commit is contained in:
Philip Withnall
2020-12-04 23:33:43 +00:00
parent a7ad3fd33a
commit 5bdda2a6b5
2 changed files with 25 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
docs/reference/gio/overview.xml
View File

@@ -436,6 +436,9 @@ Gvfs is also heavily distributed and relies on a session bus to be present.
modules from this alternate directory instead of the directory
built into GIO. This is useful when running tests, for example.
</para>
<para>
This environment variable is ignored when running in a setuid program.
</para>
</formalpara>
<formalpara>
@@ -446,6 +449,9 @@ Gvfs is also heavily distributed and relies on a session bus to be present.
paths separated by a colon, GIO will attempt to load
additional modules from within the path.
</para>
<para>
This environment variable is ignored when running in a setuid program.
</para>
</formalpara>
<formalpara>