Accepting request 460002 from GNOME:Next

Add patch from upstream OBS-URL: https://build.opensuse.org/request/show/460002 OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/flatpak?expand=0&rev=20
2017-02-28 21:38:49 +00:00 · 2017-02-28 21:38:49 +00:00 · 735e68af55
commit 735e68af55
parent 1e2bf8bbba
3 changed files with 148 additions and 0 deletions
--- a/flatpak-propagate-xauth-wildcard.patch
+++ b/flatpak-propagate-xauth-wildcard.patch
@ -0,0 +1,138 @@
+From 1c78637e440675eda987147fa873e4ff7065b49f Mon Sep 17 00:00:00 2001
+From: Ray Strode <rstrode@redhat.com>
+Date: Wed, 15 Feb 2017 10:10:29 -0500
+Subject: [PATCH] run: propagate wildcard xauth entries to app bundle
+
+At the moment, flatpak applications are only given FamilyLocal family
+xauth cookies from the Xauthority file.  This is so, the sandboxed
+application doesn't inadvertently get access to displays on other
+computers.
+
+But FamilyLocal isn't the only xauth family that's local.  FamilyWild
+entries can be local as well.
+
+Furthermore, FamilyWild entries are preferable to FamilyLocal entries
+when found, because they don't break if the system hostname is changed.
+
+This commit makes FamilyWild xauth entries get propagated in the same
+way as their FamilyLocal counterparts.
+---
+ common/flatpak-run.c | 24 +++++++++++++++++++++---
+ 1 file changed, 21 insertions(+), 3 deletions(-)
+
+diff --git a/common/flatpak-run.c b/common/flatpak-run.c
+index 8dff6d2..34f99f1 100644
+--- a/common/flatpak-run.c
+++ b/common/flatpak-run.c
+@@ -1718,87 +1718,105 @@ static char *
+ extract_unix_path_from_dbus_address (const char *address)
+ {
+   const char *path, *path_end;
+ 
+   if (address == NULL)
+     return NULL;
+ 
+   if (!g_str_has_prefix (address, "unix:"))
+     return NULL;
+ 
+   path = strstr (address, "path=");
+   if (path == NULL)
+     return NULL;
+   path += strlen ("path=");
+   path_end = path;
+   while (*path_end != 0 && *path_end != ',')
+     path_end++;
+ 
+   return g_strndup (path, path_end - path);
+ }
+ 
+ #ifdef ENABLE_XAUTH
+ static gboolean
+ auth_streq (char *str,
+             char *au_str,
+             int   au_len)
+ {
+   return au_len == strlen (str) && memcmp (str, au_str, au_len) == 0;
+ }
+ 
+static gboolean
+xauth_entry_should_propagate (Xauth *xa,
+                              char  *hostname,
+                              char  *number)
+{
+  /* ensure entry isn't for remote access */
+  if (xa->family != FamilyLocal && xa->family != FamilyWild)
+    return FALSE;
+
+  /* ensure entry is for this machine */
+  if (xa->family == FamilyLocal && !auth_streq (hostname, xa->address, xa->address_length))
+    return FALSE;
+
+  /* ensure entry is for this session */
+  if (xa->number != NULL && !auth_streq (number, xa->number, xa->number_length))
+    return FALSE;
+
+  return TRUE;
+}
+
+ static void
+ write_xauth (char *number, FILE *output)
+ {
+   Xauth *xa, local_xa;
+   char *filename;
+   FILE *f;
+   struct utsname unames;
+ 
+   if (uname (&unames))
+     {
+       g_warning ("uname failed");
+       return;
+     }
+ 
+   filename = XauFileName ();
+   f = fopen (filename, "rb");
+   if (f == NULL)
+     return;
+ 
+   while (TRUE)
+     {
+       xa = XauReadAuth (f);
+       if (xa == NULL)
+         break;
+-      if (xa->family == FamilyLocal &&
+-          auth_streq (unames.nodename, xa->address, xa->address_length) &&
+-          (xa->number == NULL || auth_streq (number, xa->number, xa->number_length)))
+      if (xauth_entry_should_propagate (xa, unames.nodename, number))
+         {
+           local_xa = *xa;
+           if (local_xa.number)
+             {
+               local_xa.number = "99";
+               local_xa.number_length = 2;
+             }
+ 
+           if (!XauWriteAuth (output, &local_xa))
+             g_warning ("xauth write error");
+         }
+ 
+       XauDisposeAuth (xa);
+     }
+ 
+   fclose (f);
+ }
+ #endif /* ENABLE_XAUTH */
+ 
+ static void
+ add_args (GPtrArray *argv_array, ...)
+ {
+   va_list args;
+   const gchar *arg;
+ 
+   va_start (args, argv_array);
+   while ((arg = va_arg (args, const gchar *)))
+     g_ptr_array_add (argv_array, g_strdup (arg));
+   va_end (args);
+ }
+-- 
+2.9.3
+
--- a/flatpak.changes
+++ b/flatpak.changes
@ -22,6 +22,13 @@ Tue Feb 21 16:42:32 UTC 2017 - zaitor@opensuse.org
  + Fix uid/gid for directories in document portal.
  + Updated translations.

+-------------------------------------------------------------------
+Wed Feb 15 15:28:07 UTC 2017 - adrien.plazas@suse.com
+
+- Add flatpak-propagate-xauth-wildcard.patch which ensures
+  applications have the right to communicate with the X server.
+  (gh#flatpak/flatpak#569).
+
 -------------------------------------------------------------------
 Fri Feb 10 16:45:25 UTC 2017 - kamikazow@opensuse.org

--- a/flatpak.spec
+++ b/flatpak.spec
@ -29,6 +29,8 @@ License:        LGPL-2.1+
 Group:          System/Packages
 Url:            https://flatpak.github.io/
 Source:         %{name}-%{version}.tar.xz
+# PATCH-FIX-UPSTREAM flatpak-propagate-xauth-wildcard.patch aplazas@suse.com gh#flatpak/flatpak#569 -- Ensures a flatpaked app has the right to communicate with X.
+Patch0:         flatpak-propagate-xauth-wildcard.patch
 BuildRequires:  docbook-xsl-stylesheets
 BuildRequires:  gtk-doc
 BuildRequires:  intltool >= 0.35.0
@ -113,6 +115,7 @@ more information.

 %prep
 %setup -q
+%patch0 -p1

 %build
 NOCONFIGURE=1 ./autogen.sh