Commit Graph

3202 Commits

Author SHA1 Message Date
Colin Walters
d6cbb29f59 CVE-2012-3524: Hardening for being run in a setuid environment
Some programs attempt to use libglib (or even libgio) when setuid.
For a long time, GTK+ simply aborted if launched in this
configuration, but we never had a real policy for GLib.

I'm not sure whether we should advertise such support.  However, given
that there are real-world programs that do this currently, we can make
them safer with not too much effort.

Better to fix a problem caused by an interaction between two
components in *both* places if possible.

This patch adds a private function g_check_setuid() which is used to
first ensure we don't run an external dbus-launch binary if
DBUS_SESSION_BUS_ADDRESS isn't set.

Second, we also ensure the local VFS is used in this case.  The
gdaemonvfs extension point will end up talking to the session bus
which is typically undesirable in a setuid context.

Implementing g_check_setuid() is interesting - whether or not we're
running in a privilege-escalated path is operating system specific.
Note that GTK+'s code to check euid versus uid worked historically on
Unix, more modern systems have filesystem capabilities and SELinux
domain transitions, neither of which are captured by the uid
comparison.

On Linux/glibc, the way this works is that the kernel sets an
AT_SECURE flag in the ELF auxiliary vector, and glibc looks for it on
startup.  If found, then glibc sets a public-but-undocumented
__libc_enable_secure variable which we can use.  Unfortunately, while
it *previously* worked to check this variable, a combination of newer
binutils and RPM break it:
http://www.openwall.com/lists/owl-dev/2012/08/14/1

So for now on Linux/glibc, we fall back to the historical Unix version
until we get glibc fixed.

On some BSD variants, there is a issetugid() function.  On other Unix
variants, we fall back to what GTK+ has been doing.

Reported-By: Sebastian Krahmer <krahmer@suse.de>
Signed-off-by: Colin Walters <walters@verbum.org>
2012-09-13 18:34:29 -04:00
William Jon McCann
cc3238a9c9 Add api to get the generic icon name for a mime type
https://bugzilla.gnome.org/show_bug.cgi?id=683744
2012-09-13 12:50:02 -04:00
Matthias Clasen
6a50dc511b Drop GVFS_INOTIFY_DIAG debug feature
Just not a good idea to have this in production code.
2012-09-11 20:24:30 -04:00
Thomas Bechtold
c9a3cd6d8b Fix gdbus connection annotations
g_dbus_connection_call_with_unix_fd_list_sync () and
g_dbus_connection_call_sync () should allow None for the
bus_name parameter.

https://bugzilla.gnome.org/show_bug.cgi?id=683771

Signed-off-by: Richard Hughes <richard@hughsie.com>
2012-09-11 13:16:32 +01:00
LRN
59ad2acfc5 gwin32mount.c: Fix syntax error
Signed-off-by: Colin Walters <walters@verbum.org>

https://bugzilla.gnome.org/show_bug.cgi?id=683641
2012-09-09 10:49:45 -04:00
Dan Winship
d68609f9fd Revert "xdgmime: plug a small leak"
This reverts commit 4e7031f073.

The string actually does get freed somewhere else, at least in some
cases. Can be looked at again later if this reintroduces a leak.

https://bugzilla.gnome.org/show_bug.cgi?id=683270
2012-09-03 10:07:31 -04:00
Dan Winship
beb0f9c150 gio/tests: fix leaks
https://bugzilla.gnome.org/show_bug.cgi?id=682560
2012-09-03 08:41:23 -04:00
Dan Winship
17bb9d542c gio/tests/cancellable: fix to still work when running slowly
The test was assuming that all cancelled ops would finish within a
certain amount of time, but this often failed under valgrind. Instead,
just run the loop until all of the ops have actually finished.

https://bugzilla.gnome.org/show_bug.cgi?id=682560
2012-09-03 08:40:14 -04:00
Dan Winship
568f737708 gio/tests: port some stuff to g_test_expect_message()
https://bugzilla.gnome.org/show_bug.cgi?id=682560
2012-09-03 08:40:14 -04:00
Dan Winship
039ecf2bc6 g_file_copy: plug a leak
The fallback copy code was leaking the GFileInfo if it didn't have
G_FILE_ATTRIBUTE_STANDARD_TYPE.

https://bugzilla.gnome.org/show_bug.cgi?id=682560
2012-09-03 08:40:14 -04:00
Dan Winship
fa58cef826 GDesktopAppInfo: fix leaks
g_desktop_app_info_ensure_saved() was leaking the file contents.

_g_desktop_app_info_launch_uris_internal() was leaking the session bus
on error.

https://bugzilla.gnome.org/show_bug.cgi?id=682560
2012-09-03 08:36:10 -04:00
Dan Winship
4e7031f073 xdgmime: plug a small leak
https://bugzilla.gnome.org/show_bug.cgi?id=682560
2012-09-03 08:36:10 -04:00
Paolo Borelli
2d85894bc5 Fix gtk-doc for g_app_info_get_supported_types 2012-09-02 12:25:50 +02:00
Aleksander Morgado
724c8a1846 gdbus-codegen: avoid error when wrong interface is provided to --annotate
If the interface given cannot be matched, `iface_obj' was left uninitialized and
the iface_obj == None check would end up crashing:

Traceback (most recent call last):
  File "/usr/bin/gdbus-codegen", line 41, in <module>
    sys.exit(codegen_main.codegen_main())
  File "/usr/lib64/gdbus-2.0/codegen/codegen_main.py", line 175, in codegen_main
    apply_annotations(all_ifaces, opts.annotate)
  File "/usr/lib64/gdbus-2.0/codegen/codegen_main.py", line 146, in apply_annotations
    apply_annotation(iface_list, iface, None, None, None, None, key, value)
  File "/usr/lib64/gdbus-2.0/codegen/codegen_main.py", line 64, in apply_annotation
    if iface_obj == None:
UnboundLocalError: local variable 'iface_obj' referenced before assignment

Fixes https://bugzilla.gnome.org/show_bug.cgi?id=683088
2012-09-01 11:53:19 -04:00
Martin Pitt
55f7061097 Bump max time in test_method_calls_on_proxy() test
On slower platforms, the overhead of the 240 D-BUS Sleep calls is larger than
the current maximum of 6 seconds. A run on a Panda board sometimes fails with

  ERROR:/build/buildd/glib2.0-2.33.8/./gio/tests/gdbus-threading.c:409:test_method_calls_on_proxy:
  assertion failed (elapsed_msec < 6000): (7365 < 6000)

Bump maximum time to 8 seconds to be more resilient to this.

https://bugzilla.gnome.org/show_bug.cgi?id=682222
2012-08-31 18:03:26 +02:00
William Jon McCann
40b4fae42e Add ability to get symbolic icon for content type
https://bugzilla.gnome.org/show_bug.cgi?id=682101
2012-08-30 11:04:43 -04:00
William Jon McCann
a15a071f35 Add symbolic icon support to gfileinfo
https://bugzilla.gnome.org/show_bug.cgi?id=682101
2012-08-30 11:04:43 -04:00
William Jon McCann
a2dca48bf7 Add symbolic icon support to drive, volume, and mount
We need symbolic icon support for display in Nautilus.

https://bugzilla.gnome.org/show_bug.cgi?id=682101
2012-08-30 11:04:43 -04:00
Rui Matos
88d181ef18 gdbus-tool: Check return value of strrchr()
Fixes a crash when invoking gdbus like:

$ gdbus emit --session -o / -s Foo

https://bugzilla.gnome.org/show_bug.cgi?id=682965
2012-08-30 11:51:49 +02:00
Cosimo Cecchi
9bca5bb49f appinfo: fix annotations for g_app_info_launch and g_app_info_launch_uris
The files/uris parameters for these functions can be NULL, so we need an
allow-none annotation here.
2012-08-29 14:46:11 -04:00
Colin Walters
6e64ba58b9 Switch all open() calls to use g_open()
Because it now handles EINTR.  And we should do so.  While most people
use Linux, which tries very hard to avoid propagating EINTR back up
into userspace, it can still happen.

https://bugzilla.gnome.org/show_bug.cgi?id=682833
2012-08-28 13:56:59 -04:00
Colin Walters
2542b6f604 xdgmime: Handle EINTR in open()
https://bugzilla.gnome.org/show_bug.cgi?id=682833
2012-08-28 13:56:58 -04:00
Cosimo Cecchi
62570a52b1 gio: don't quote quark names for G_DEFINE_QUARK 2012-08-28 13:16:25 -04:00
Matthias Clasen
60d2cb665e Use G_DEFINE_QUARK for quarks in GIO 2012-08-28 00:08:08 -04:00
Daiki Ueno
030ebfb93b gsettings-tool: make list-recursively really recurse
https://bugzilla.gnome.org/show_bug.cgi?id=682586
2012-08-28 00:08:06 -04:00
Matthias Clasen
a552989410 GFile: Cosmetic doc changes 2012-08-28 00:08:05 -04:00
Matthias Clasen
0149f44f4a Fix the GDBusProxy async test
Patch by Mike Gorse, bug
https://bugzilla.gnome.org/show_bug.cgi?id=674805
2012-08-28 00:08:05 -04:00
Matthias Clasen
7e07ea8189 Make async permission tests work 2012-08-28 00:08:05 -04:00
375943ea21 Fix the gdbus-proxy async test
The async test had several problems:
- It created a proxy and did not launch a main loop, meaning that its
  callback would usually not get called, or, if it did get called, the
test harness would have taken down the connection already, causing an
assertion failure when the proxy had an error.
- It was dependent on the proxy test to set up the server and would fail
  because some properties were modified by that test.

https://bugzilla.gnome.org/show_bug.cgi?id=674805
2012-08-28 00:08:04 -04:00
Dan Winship
b901aaf673 Update .gitignores 2012-08-26 14:40:22 -04:00
Stef Walter
7518f7a674 Revert "gtlscertificate: Add certificate-bytes and private-key-bytes props"
* In order to add contstruct properties to an abstract base
   calls, and retain ABI stability, the base class must add a
   default implementation of those properties.
 * We cannot add a default implementation of certificate-bytes
   or private-key-bytes since certificate and private-key properties
   are writable on construct-only.

This reverts commit 541c985869.

https://bugzilla.gnome.org/show_bug.cgi?id=682081
2012-08-21 13:30:02 +02:00
Stef Walter
a8c784df58 gdbus: Fix double free and use after free of object path
* This occurs when the 'g-object-path' property is read
   on a GDBusObjectSkeleton

https://bugzilla.gnome.org/show_bug.cgi?id=682075
2012-08-21 13:21:26 +02:00
Cosimo Cecchi
0d8a81b722 mount-op: use gint64 instead of guint64 for time_left and bytes_left
Since those can be -1, they need to be signed.

https://bugzilla.gnome.org/show_bug.cgi?id=682284
2012-08-21 10:55:28 +02:00
Ryan Lortie
59394b3e1e Revert the GMarkup attribute collect changes
We need to have some more discussion on this topic.

This reverts commits 86329ba44f and
8d40389d15.

https://bugzilla.gnome.org/show_bug.cgi?id=665634
2012-08-20 18:34:13 -04:00
Lars Uebernickel
07fadc7932 GMenuModel: add test for the new GMenuItem API 2012-08-20 16:26:25 -04:00
Ryan Lortie
6798fcdd0f GMenuItem: add constructor to copy from model
Add g_menu_item_new_from_model() for constructing a GMenuItem that is a
copy of a menu item that's in a GMenuModel.
2012-08-20 16:26:25 -04:00
Ryan Lortie
99478dd893 GMenuItem: add getter APIs
GMenuItem has been write-only up to this point.  Add some APIs for
reading back values as well.
2012-08-20 16:26:25 -04:00
Ryan Lortie
ad79b0f8ef GMenuModel: remove a type safety bug
There was a /* XXX */ in the code here to do proper typechecking of the
GVariant in the menu model when using g_menu_model_get_item_attribute().
We have g_variant_check_format_string() now, so use it.
2012-08-20 16:26:25 -04:00
Marc-André Lureau
d9f6314f57 win32: add pipe-io-cancel-test
Test that win32 streams can be cancelled.
It can even be tested with wine on Linux!

https://bugzilla.gnome.org/show_bug.cgi?id=679288
2012-08-20 17:10:31 +02:00
Marc-André Lureau
b9b2cf6a66 win32: add pipe-io-concurrent
Implement test case suggested by Ryan Lortie on bug:
https://bugzilla.gnome.org/show_bug.cgi?id=679288

"There is a potential race here that's really unlikely to happen, but
here we go: We are trying to read from the same socket in two threads.
Some data comes. That causes the poll() in both threads (above) to
finish running. Then the cancellable is checked above. We now find
ourselves here. Only one thread will read the data. The other will
block on this function. Then the user may cancel the cancellable while
we are blocked here, but we will stay blocked...."
2012-08-20 17:10:31 +02:00
Marc-André Lureau
1c1ba8b512 win32: add pipe-io-overlap-test 2012-08-20 17:10:31 +02:00
Marc-André Lureau
b9d7b80897 win32: make gio stream cancellable
v2:
 - fix cancellation of concurrent readers
 - replace g_assert() usage with g_warn_if_fail()
v3:
 - fix indentation
 - fix loop code to not leak (silly me)

https://bugzilla.gnome.org/show_bug.cgi?id=679288
2012-08-20 17:10:31 +02:00
Marc-André Lureau
4b5d762d5d win32: handle ERROR_MORE_DATA
If a named pipe is being read in message mode and the next message is
longer than the nNumberOfBytesToRead parameter specifies, ReadFile
returns FALSE and GetLastError returns ERROR_MORE_DATA.

Since the API doesn't allow to return both a GError and the number of
bytes read so far, it makes more sense to return nread, and let the
client call GetLastError() himself to check if ERROR_MORE_DATA.

The current alternative loses the nread information.

https://bugzilla.gnome.org/show_bug.cgi?id=679288
2012-08-20 17:10:31 +02:00
Marc-André Lureau
23d80a04da win32: use overlapped events for streams
Any file handle created with FLAG_OVERLAPPED must have
ReadFile()/WriteFile() called with an OVERLAPPED structure.
Failing to do so will give unspecified results, invalid read/write or
corruption.

Without FLAG_OVERLAPPED, it is not possible to read and write
concurrently, even with two seperate threads, created by 2 input and
output gio streams. Also, only with FLAG_OVERLAPPED may an IO
operation be asynchronous and thus be cancellable.

We may want to call ReOpenFile() to make sure the FLAG is set, but
this API is only available since Vista+.

According to MSDN doc, adding the OVERLAPPED argument for IO operation
on handles without FLAG_OVERLAPPED is allowed, and indeed the existing
test still passes.

v2:
- update GetLastError() after _g_win32_overlap_wait_result ()
- split the unrelated ERROR_MORE_DATA handling

https://bugzilla.gnome.org/show_bug.cgi?id=679288
2012-08-20 17:10:31 +02:00
Matthias Clasen
cbf346ce53 Remove some more 'the the' 2012-08-19 02:27:04 -04:00
Matthias Clasen
efd822bb07 Improve test coverage for GSocketConnection 2012-08-19 02:26:42 -04:00
Matthias Clasen
cc5d7ccdba Improve test coverage for unix socket addresses 2012-08-19 02:26:05 -04:00
Matthias Clasen
63eaeb223b Improve test coverage for resources 2012-08-19 02:25:37 -04:00
Matthias Clasen
beea8c5c84 Improve test coverage for filter streams 2012-08-19 02:25:21 -04:00
Matthias Clasen
b22f4a2dd2 Improve test coverage for unix streams 2012-08-19 02:25:02 -04:00