From 735e68af55aba0a0be7ab4e13e30d557ff824b63c661e3a09fe82ded46a6d7d2 Mon Sep 17 00:00:00 2001 From: Dominique Leuenberger Date: Tue, 28 Feb 2017 21:38:49 +0000 Subject: [PATCH] Accepting request 460002 from GNOME:Next Add patch from upstream OBS-URL: https://build.opensuse.org/request/show/460002 OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/flatpak?expand=0&rev=20 --- flatpak-propagate-xauth-wildcard.patch | 138 +++++++++++++++++++++++++ flatpak.changes | 7 ++ flatpak.spec | 3 + 3 files changed, 148 insertions(+) create mode 100644 flatpak-propagate-xauth-wildcard.patch diff --git a/flatpak-propagate-xauth-wildcard.patch b/flatpak-propagate-xauth-wildcard.patch new file mode 100644 index 0000000..38d2343 --- /dev/null +++ b/flatpak-propagate-xauth-wildcard.patch @@ -0,0 +1,138 @@ +From 1c78637e440675eda987147fa873e4ff7065b49f Mon Sep 17 00:00:00 2001 +From: Ray Strode +Date: Wed, 15 Feb 2017 10:10:29 -0500 +Subject: [PATCH] run: propagate wildcard xauth entries to app bundle + +At the moment, flatpak applications are only given FamilyLocal family +xauth cookies from the Xauthority file. This is so, the sandboxed +application doesn't inadvertently get access to displays on other +computers. + +But FamilyLocal isn't the only xauth family that's local. FamilyWild +entries can be local as well. + +Furthermore, FamilyWild entries are preferable to FamilyLocal entries +when found, because they don't break if the system hostname is changed. + +This commit makes FamilyWild xauth entries get propagated in the same +way as their FamilyLocal counterparts. +--- + common/flatpak-run.c | 24 +++++++++++++++++++++--- + 1 file changed, 21 insertions(+), 3 deletions(-) + +diff --git a/common/flatpak-run.c b/common/flatpak-run.c +index 8dff6d2..34f99f1 100644 +--- a/common/flatpak-run.c ++++ b/common/flatpak-run.c +@@ -1718,87 +1718,105 @@ static char * + extract_unix_path_from_dbus_address (const char *address) + { + const char *path, *path_end; + + if (address == NULL) + return NULL; + + if (!g_str_has_prefix (address, "unix:")) + return NULL; + + path = strstr (address, "path="); + if (path == NULL) + return NULL; + path += strlen ("path="); + path_end = path; + while (*path_end != 0 && *path_end != ',') + path_end++; + + return g_strndup (path, path_end - path); + } + + #ifdef ENABLE_XAUTH + static gboolean + auth_streq (char *str, + char *au_str, + int au_len) + { + return au_len == strlen (str) && memcmp (str, au_str, au_len) == 0; + } + ++static gboolean ++xauth_entry_should_propagate (Xauth *xa, ++ char *hostname, ++ char *number) ++{ ++ /* ensure entry isn't for remote access */ ++ if (xa->family != FamilyLocal && xa->family != FamilyWild) ++ return FALSE; ++ ++ /* ensure entry is for this machine */ ++ if (xa->family == FamilyLocal && !auth_streq (hostname, xa->address, xa->address_length)) ++ return FALSE; ++ ++ /* ensure entry is for this session */ ++ if (xa->number != NULL && !auth_streq (number, xa->number, xa->number_length)) ++ return FALSE; ++ ++ return TRUE; ++} ++ + static void + write_xauth (char *number, FILE *output) + { + Xauth *xa, local_xa; + char *filename; + FILE *f; + struct utsname unames; + + if (uname (&unames)) + { + g_warning ("uname failed"); + return; + } + + filename = XauFileName (); + f = fopen (filename, "rb"); + if (f == NULL) + return; + + while (TRUE) + { + xa = XauReadAuth (f); + if (xa == NULL) + break; +- if (xa->family == FamilyLocal && +- auth_streq (unames.nodename, xa->address, xa->address_length) && +- (xa->number == NULL || auth_streq (number, xa->number, xa->number_length))) ++ if (xauth_entry_should_propagate (xa, unames.nodename, number)) + { + local_xa = *xa; + if (local_xa.number) + { + local_xa.number = "99"; + local_xa.number_length = 2; + } + + if (!XauWriteAuth (output, &local_xa)) + g_warning ("xauth write error"); + } + + XauDisposeAuth (xa); + } + + fclose (f); + } + #endif /* ENABLE_XAUTH */ + + static void + add_args (GPtrArray *argv_array, ...) + { + va_list args; + const gchar *arg; + + va_start (args, argv_array); + while ((arg = va_arg (args, const gchar *))) + g_ptr_array_add (argv_array, g_strdup (arg)); + va_end (args); + } +-- +2.9.3 + diff --git a/flatpak.changes b/flatpak.changes index 1967622..36ed145 100644 --- a/flatpak.changes +++ b/flatpak.changes @@ -22,6 +22,13 @@ Tue Feb 21 16:42:32 UTC 2017 - zaitor@opensuse.org + Fix uid/gid for directories in document portal. + Updated translations. +------------------------------------------------------------------- +Wed Feb 15 15:28:07 UTC 2017 - adrien.plazas@suse.com + +- Add flatpak-propagate-xauth-wildcard.patch which ensures + applications have the right to communicate with the X server. + (gh#flatpak/flatpak#569). + ------------------------------------------------------------------- Fri Feb 10 16:45:25 UTC 2017 - kamikazow@opensuse.org diff --git a/flatpak.spec b/flatpak.spec index 724b25b..6ee8620 100644 --- a/flatpak.spec +++ b/flatpak.spec @@ -29,6 +29,8 @@ License: LGPL-2.1+ Group: System/Packages Url: https://flatpak.github.io/ Source: %{name}-%{version}.tar.xz +# PATCH-FIX-UPSTREAM flatpak-propagate-xauth-wildcard.patch aplazas@suse.com gh#flatpak/flatpak#569 -- Ensures a flatpaked app has the right to communicate with X. +Patch0: flatpak-propagate-xauth-wildcard.patch BuildRequires: docbook-xsl-stylesheets BuildRequires: gtk-doc BuildRequires: intltool >= 0.35.0 @@ -113,6 +115,7 @@ more information. %prep %setup -q +%patch0 -p1 %build NOCONFIGURE=1 ./autogen.sh