40 lines
1.3 KiB
Plaintext
40 lines
1.3 KiB
Plaintext
From 09c97951e91980e345b274063e3600769172c05f Mon Sep 17 00:00:00 2001
|
|
From: yinyongkang <yinyongkang@kylinos.cn>
|
|
Date: Fri, 8 Jul 2022 10:10:07 +0800
|
|
Subject: [PATCH] exo-open : Only execute local .desktop files
|
|
|
|
CVE-2022-32278
|
|
|
|
This patch prevents executing possibly malicious .desktop files
|
|
from online sources (ftp://, http:// etc.).
|
|
|
|
Original patch authored by Alexander Schwinn <alexxcons@xfce.org>
|
|
---
|
|
exo-open/main.c | 10 ++++++++++
|
|
1 file changed, 10 insertions(+)
|
|
|
|
diff --git a/exo-open/main.c b/exo-open/main.c
|
|
index a471c78..0176bc3 100644
|
|
--- a/exo-open/main.c
|
|
+++ b/exo-open/main.c
|
|
@@ -156,6 +156,16 @@ exo_open_launch_desktop_file (const gchar *arg)
|
|
if (G_UNLIKELY (gfile == NULL))
|
|
return FALSE;
|
|
|
|
+ /* Only execute local .desktop files to prevent execution of malicious launchers from foreign locations */
|
|
+ if (g_file_has_uri_scheme (gfile, "file") == FALSE)
|
|
+ {
|
|
+ char *uri = g_file_get_uri (gfile);
|
|
+ g_warning ("Execution of remote .desktop file '%s' was skipped due to security concerns.", uri);
|
|
+ g_object_unref (gfile);
|
|
+ g_free (uri);
|
|
+ return FALSE;
|
|
+ }
|
|
+
|
|
/* load the contents of the file */
|
|
result = g_file_load_contents (gfile, NULL, &contents, &length, NULL, NULL);
|
|
g_object_unref (G_OBJECT (gfile));
|
|
--
|
|
2.33.0
|
|
|