Commit cc047717 authored by Yongha Hwang's avatar Yongha Hwang
Browse files

exo-open : Only execute local .desktop files

Issue #85
CVE-2022-32278

This patch prevents executing possibly malicious .desktop files
from online sources (ftp://, http:// etc.).

Original patch authored by Alexander Schwinn <alexxcons@xfce.org>
parent 3ba2b4d3
Pipeline #15531 passed with stages
in 2 minutes and 39 seconds
......@@ -263,6 +263,16 @@ exo_open_launch_desktop_file (const gchar *arg)
if (G_UNLIKELY (gfile == NULL))
return FALSE;
/* Only execute local .desktop files to prevent execution of malicious launchers from foreign locations */
if (g_file_has_uri_scheme (gfile, "file") == FALSE)
{
char *uri = g_file_get_uri (gfile);
g_warning ("Execution of remote .desktop file '%s' was skipped due to security concerns.", uri);
g_object_unref (gfile);
g_free (uri);
return FALSE;
}
/* load the contents of the file */
result = g_file_load_contents (gfile, NULL, &contents, &length, NULL, NULL);
if (G_UNLIKELY (!result || length == 0))
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment