gapplication: Document that command line options must be validated

They come from an external process, so they must be validated. In particular, it’s always easy to forget to validate the type of a `GVariant`, and just try to get the stored value using a well-known type; but that’s a programming error if the `GVariant` actually stores a different type. Always check the variant type first if loading from a `v`. Signed-off-by: Philip Withnall <pwithnall@endlessos.org> Helps: #1904
2024-11-09 19:06:15 +01:00 · 2022-11-10 23:11:03 +00:00 · 2022-11-10 23:11:03 +00:00 · eb0d9e709a
commit eb0d9e709a
parent 83c11637ba
2 changed files with 5 additions and 0 deletions
--- a/gio/gapplication.c
+++ b/gio/gapplication.c
@ -673,6 +673,8 @@ add_packed_option (GApplication *application,
 * inspected and modified.  If %G_APPLICATION_HANDLES_COMMAND_LINE is
 * set, then the resulting dictionary is sent to the primary instance,
 * where g_application_command_line_get_options_dict() will return it.
+ * As it has been passed outside the process at this point, the types of all
+ * values in the options dict must be checked before being used.
 * This "packing" is done according to the type of the argument --
 * booleans for normal flags, strings for strings, bytestrings for
 * filenames, etc.  The packing only occurs if the flag is given (ie: we
--- a/gio/gapplicationcommandline.c
+++ b/gio/gapplicationcommandline.c
@ -507,6 +507,9 @@ g_application_command_line_get_arguments (GApplicationCommandLine *cmdline,
 * If no options were sent then an empty dictionary is returned so that
 * you don't need to check for %NULL.
 *
+ * The data has been passed via an untrusted external process, so the types of
+ * all values must be checked before being used.
+ *
 * Returns: (transfer none): a #GVariantDict with the options
 *
 * Since: 2.40