forked from pool/power-profiles-daemon
Atri Bhattacharya
035d269280
- Update to version 0.10.0:
+ This release adds authorisation checks for the profile holds
and profile switching features of the backend daemon, through
polkit. It is recommended that all distributions upgrade to
this version as soon as possible.
+ This release also adds support for the "quiet" kernel platform
profile used in some systems.
- Drop patches fixed upstream:
+ power-profiles-daemon-polkit-policy.patch
+ c9b646025d9f155509a6cda1c292bfd120daeb9e.patch
+ 20a2d7f7b80a1847f36236d40388f14ae99fa94b.patch
- Add f83685732b9dd8211840645ce76f43718b30218b.patch: build: Make
pylint test optional. As power-profiles-daemon keeps getting
built with slightly different versions of pylint with newer
warnings, disable pylint test by default to avoid getting bug
reports about it.
- Add hold-profile-hardening.patch: Hardening of HoldProfile D-Bus
method (boo#1189900). Requested by openSUSE security team.
OBS-URL: https://build.opensuse.org/request/show/923689
OBS-URL: https://build.opensuse.org/package/show/Base:System/power-profiles-daemon?expand=0&rev=4
54 lines
1.6 KiB
Diff
54 lines
1.6 KiB
Diff
Index: power-profiles-daemon-0.9.0/src/power-profiles-daemon.c
|
|
===================================================================
|
|
--- power-profiles-daemon-0.9.0.orig/src/power-profiles-daemon.c
|
|
+++ power-profiles-daemon-0.9.0/src/power-profiles-daemon.c
|
|
@@ -526,6 +526,29 @@ holder_disappeared (GDBusConnection *con
|
|
g_ptr_array_free (cookies, TRUE);
|
|
}
|
|
|
|
+#define MAX_UNTRUSTED_STR_LEN 1024
|
|
+#define MAX_PROFILE_HOLDS 32
|
|
+
|
|
+static gboolean
|
|
+check_sane_string(const char *s)
|
|
+{
|
|
+ guint i;
|
|
+
|
|
+ for (i = 0; s[i] != 0; i++) {
|
|
+ gchar ch = s[i];
|
|
+
|
|
+ if (i > MAX_UNTRUSTED_STR_LEN)
|
|
+ return FALSE;
|
|
+
|
|
+ if (g_ascii_isalnum(ch) || g_ascii_isspace(ch))
|
|
+ continue;
|
|
+
|
|
+ return FALSE;
|
|
+ }
|
|
+
|
|
+ return TRUE;
|
|
+}
|
|
+
|
|
static void
|
|
hold_profile (PpdApp *data,
|
|
GVariant *parameters,
|
|
@@ -548,6 +571,18 @@ hold_profile (PpdApp *dat
|
|
return;
|
|
}
|
|
|
|
+ if (!check_sane_string(reason) || !check_sane_string(application_id)) {
|
|
+ g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR, G_DBUS_ERROR_INVALID_ARGS,
|
|
+ "Input strings are too long or contain invalid characters");
|
|
+ return;
|
|
+ }
|
|
+
|
|
+ if (g_hash_table_size(data->profile_holds) > MAX_PROFILE_HOLDS) {
|
|
+ g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR, G_DBUS_ERROR_LIMITS_EXCEEDED,
|
|
+ "Too many profile holds already active");
|
|
+ return;
|
|
+ }
|
|
+
|
|
hold = g_new0 (ProfileHold, 1);
|
|
hold->profile = profile;
|
|
hold->reason = g_strdup (reason);
|