From 09c97951e91980e345b274063e3600769172c05f Mon Sep 17 00:00:00 2001
From: yinyongkang <yinyongkang@kylinos.cn>
Date: Fri, 8 Jul 2022 10:10:07 +0800
Subject: [PATCH] exo-open : Only execute local .desktop files

CVE-2022-32278

This patch prevents executing possibly malicious .desktop files
from online sources (ftp://, http:// etc.).

Original patch authored by Alexander Schwinn <alexxcons@xfce.org>
---
 exo-open/main.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/exo-open/main.c b/exo-open/main.c
index a471c78..0176bc3 100644
--- a/exo-open/main.c
+++ b/exo-open/main.c
@@ -156,6 +156,16 @@ exo_open_launch_desktop_file (const gchar *arg)
   if (G_UNLIKELY (gfile == NULL))
     return FALSE;
 
+  /* Only execute local .desktop files to prevent execution of malicious launchers from  foreign locations */
+  if (g_file_has_uri_scheme (gfile, "file") == FALSE)
+    {
+      char *uri = g_file_get_uri (gfile);
+      g_warning ("Execution of remote .desktop file '%s' was skipped due to security concerns.", uri);
+      g_object_unref (gfile);
+      g_free (uri);
+      return FALSE;
+    }
+
   /* load the contents of the file */
   result = g_file_load_contents (gfile, NULL, &contents, &length, NULL, NULL);
   g_object_unref (G_OBJECT (gfile));
-- 
2.33.0