This code was added for use by the G_FILE_ATTRIBUTE_THUMBNAIL_IS_VALID
file attribute, but may end up being used elsewhere (e.g. in GVfs) as well.
As it’s dealing with untrusted external files, and the non-trivial PNG file
format, this commit adds several test cases to cover valid and invalid PNG
files.
The security model for the thumbnail verification code is that the user’s
cache directory is untrusted, and potentially any PNG file which is passed
to the verifier has been manipulated arbitrarily by an attacker.
This is a follow-up to commit fe7069749f.
https://bugzilla.gnome.org/show_bug.cgi?id=709898
It is our intention that memory output streams should operate in two
distinct modes, depending on if a realloc function was provided or not.
In the case that we have a realloc function (resizable mode), we want
the stream to behave as if it were a file that started out empty. In
the case that we don't have a realloc function (fixed-sized mode), we
want the stream to behave as a block device would.
To this end, we introduce two changes in functionality:
- seeking to SEEK_END on a resizable stream will now seek to the end of
the valid data region, not to the end of the allocated memory (which
is really just an implementation detail)
- seeks past the end of the allocated memory size are now permitted,
but only on resizable streams. The next write will grow the buffer
(inserting zeros between).
Some tweaks to testcases were required in order not to break the build,
which indicates that this is an API break, but it seems unlikely that
anyone will be effected by these changes 'in the real world'.
Updates to documentation and further testcases are in following commits.
Based on a patch from Maciej Piechotka <uzytkownik2@gmail.com>.
https://bugzilla.gnome.org/show_bug.cgi?id=684842
Over many years of writing code interacting with subprocesses, a pattern
that comes up a lot is to run a child and get its output as UTF-8, to
put inside a JSON document or render in a GtkTextBuffer, etc.
It's very important to validate at the boundaries, and not say deep
inside Pango.
We could do this a bit more efficiently if done in a streaming fashion,
but realistically this should be OK for now.
We weren't closing the streams after we were done reading or writing,
which is kind of essential. The easy way to fix this is to just use
g_output_stream_splice() to a GMemoryOutputStream rather than
hand-rolling it. This results in a substantial reduction of code
complexity.
A second serious issue is that we were marking the task as complete when
the process exits, but that's racy - there could still be data to read
from stdout. Fix this by just refcounting outstanding operations.
This code, not surprisingly, looks a lot like the "multi" test.
Next, because processes output binary data, I'd be forced to annotate
the char*/length pairs as (array) (element-type uint8). But rather than
doing that, it's *far* simpler to just use GBytes.
We need a version of this that actually validates as UTF-8, that will be
in the next patch.
There are a number of nice things this class brings:
0) Has a race-free termination API on all platforms (on UNIX, calls to
kill() and waitpid() are coordinated as not to cause problems).
1) Operates in terms of G{Input,Output}Stream, not file descriptors
2) Standard GIO-style async API for wait() with cancellation
3) Makes some simple cases easy, like synchronously spawning a
process with an argument list
4) Makes hard cases possible, like asynchronously running a process
with stdout/stderr merged, output directly to a file path
Much rewriting and code review from Ryan Lortie <desrt@desrt.ca>
https://bugzilla.gnome.org/show_bug.cgi?id=672102
Rather than having lots of obscure platform-based #ifdefs all over
gio, define some macros in gcredentialsprivate.h, and use those to
simplify the rest of the code.
https://bugzilla.gnome.org/show_bug.cgi?id=701482
Previously, no testcases tested the close flags of
g_output_stream_splice_async. This patch adds tests for that and
also tests various combinations of threaded and non-threaded
GInputStream async reads and GOutputStream async writes.
https://bugzilla.gnome.org/show_bug.cgi?id=691581
Make use of __wgetmainargs() on Windows so that we can get wide char
versions of the argv's that are passed in when this test program is being
invoked. This is necessary as one might enter non-ASCII, such as
CJK characters filenames and/or directories to run the test program
against, so that we can process the name(s) and pass the proper
UTF-8-encoded name(s) of the files/directories that is being tested.
https://bugzilla.gnome.org/show_bug.cgi?id=707787
Virtaal installs a mime package for various .po-like file formats, one
of which has the extension .txt. This causes GLib to report ".txt"
files still as "text/plain" but no longer with complete certainty.
The result is that asserting !uncertain during the testsuite causes the
test to fail if Virtaal happens to be installed.
Remove this assertion.
GNetworkAddress was allowing IPv6 scope ids in g_network_address_new()
/ g_network_address_parse(), but not in g_network_address_parse_uri().
Fix that.
Part of https://bugzilla.gnome.org/show_bug.cgi?id=669724
Convert {glib,gobject,gio}/tests to use the automake TAP driver
and test harness instead of gtester. To do so, we add a glib-tap.mk
that provides the same interface as glib.mk, except for the
reporting and coverage testing functionality. Eventually, we may
want to replace glib.mk with it. I've not yet converted the
toplevel tests/ directory, since it mixes gtestutils tests with
other binaries.
https://bugzilla.gnome.org/show_bug.cgi?id=692125
With UDP sockets, g_socket_bind() with allow_reuse=TRUE on Linux
behaved in a way that the documentation didn't suggest, and that
didn't match other OSes. (Specifically, it allowed binding multiple
multicast sockets to the same address.)
Since this behavior is useful, and since allow_reuse didn't have any
other meaning with UDP sockets, update the docs to reflect the Linux
behavior, and make it do the same thing on non-Linux.
https://bugzilla.gnome.org/show_bug.cgi?id=689245
When running a task in a thread, GTask may still be internally holding
a ref on the task in that thread even after the callback is called in
the original thread (depending on thread scheduling). Fix the test to
handle that by using a weak notify that signals a GCond, and wait for
that GCond from the main thread. (And add a corresponding check to
test_return_on_cancel().)
https://bugzilla.gnome.org/show_bug.cgi?id=705152
Add a missing Name entry, and add a terminal ; to the Actions
entry in org.gtk.test.dbusappinfo.desktop. desktop-file-validate
still contains about the DBusActivatable entry and about the
missing Exec entries. The former will go away when desktop-file-validate
gets updated for the latest spec revision.
Add a fairly realistic testcase that ensures that GDesktopAppInfo with
DBusActivatable=true can successfully talk to GApplication for a variety
of purposes.
https://bugzilla.gnome.org/show_bug.cgi?id=699259
For some time, the desktop file specification has supported "additional
application actions". This is intended to allow for additional methods
of starting an app, such as a mail client having a "Compose New Message"
action that brings up the compose window instead of the folder list.
This patch adds support for this with a relatively minimal API.
In the case that the application is a GApplication and DBusActivatable,
desktop actions are translated into GActions that have been added to the
application with g_action_map_add_action(). This more or less closes
the loop on being able to activate an application with an action
invocation (instead of 'activate').
https://bugzilla.gnome.org/show_bug.cgi?id=664444
Add a new type of GAction that represents the value of a property on an
object. As an example, this might be used on the "visible-child-name"
property of a GtkStack.
https://bugzilla.gnome.org/show_bug.cgi?id=703270
It's possible to get a org.freedesktop.Properties.GetAll call even if we
have no readable properties in the introspection, in which case we
should return the empty list in the usual way.
We should certainly _not_ be dispatching to the method call handler of
an interface which has no properties (since it will not be expecting
this).
Add a check to make sure that there is at least one readable property
before assuming that a NULL get_property handler implies that we want to
handle properties asynchronously.
Add a testcase that was failing before the change and works after it.
https://bugzilla.gnome.org/show_bug.cgi?id=703437
The existing advice in the documentation to "simply" register the
"org.freedesktop.DBus.Properties" interface if you want to handle
properties asynchronously is pretty unreasonable. If you want to handle
this interface you have to deal with all properties for all interfaces
on the path, and you have to do all of the checking for yourself. You
also have to provide your own introspection data.
Introduce a new convention for dealing with properties asynchronously.
If the user provides NULL for their get_property() or set_property()
functions in the vtable and has properties registered then the
properties are sent to the method_call() handler. We get lucky here
that this function takes an "interface_name" parameter that we can set
to "org.freedesktop.DBus.Properties".
We also do the user the favour of setting the GDBusPropertyInfo on the
GDBusMethodInvocation for their convenience (for much the same reasons
as they might want the already-available GDBusMethodInfo).
Add a testcase as well as a bunch of documentation about this new
feature.
https://bugzilla.gnome.org/show_bug.cgi?id=698375
OS X's getaddrinfo() only supports IPv6 scope IDs that are interface
names, not numbers. So use if_indextoname() to get the name of an
interface and construct an address using that.
https://bugzilla.gnome.org/show_bug.cgi?id=700123
