77 lines
3.3 KiB
Diff
77 lines
3.3 KiB
Diff
|
From 93357d357119093804df05acc32ff335839c6451 Mon Sep 17 00:00:00 2001
|
||
|
|
From: Alexander Larsson <alexl@redhat.com>
|
||
|
|
Date: Tue, 11 Jan 2022 10:27:46 +0100
|
||
|
|
Subject: [PATCH] Require metadata in commit also for OCI remotes
|
||
|
|
|
||
|
|
This was disables a long time ago because the fedora remotes didn't
|
||
|
|
contain metadata, but that has been added since then. Requiring fixes
|
||
|
|
a security concern where an app claims to require no permissions (by
|
||
|
|
having no metadata in commit) but then actually requires permissions
|
||
|
|
in the installed app.
|
||
|
|
|
||
|
|
Conflict:NA
|
||
|
|
Reference:https://github.com/flatpak/flatpak/commit/93357d357119093804df05acc32ff335839c6451
|
||
|
|
|
||
|
|
---
|
||
|
|
common/flatpak-dir.c | 14 ++++----------
|
||
|
|
1 file changed, 4 insertions(+), 10 deletions(-)
|
||
|
|
|
||
|
|
diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
|
||
|
|
index e6c8046..e6a83cf 100644
|
||
|
|
--- a/common/flatpak-dir.c
|
||
|
|
+++ b/common/flatpak-dir.c
|
||
|
|
@@ -1763,7 +1763,6 @@ validate_commit_metadata (GVariant *commit_data,
|
||
|
|
const char *ref,
|
||
|
|
const char *required_metadata,
|
||
|
|
gsize required_metadata_size,
|
||
|
|
- gboolean require_xa_metadata,
|
||
|
|
GError **error)
|
||
|
|
{
|
||
|
|
g_autoptr(GVariant) commit_metadata = NULL;
|
||
|
|
@@ -1782,9 +1781,9 @@ validate_commit_metadata (GVariant *commit_data,
|
||
|
|
xa_metadata = g_variant_get_string (xa_metadata_v, &xa_metadata_size);
|
||
|
|
}
|
||
|
|
|
||
|
|
- if ((xa_metadata == NULL && require_xa_metadata) ||
|
||
|
|
- (xa_metadata != NULL && (xa_metadata_size != required_metadata_size ||
|
||
|
|
- memcmp (xa_metadata, required_metadata, xa_metadata_size) != 0)))
|
||
|
|
+ if (xa_metadata == NULL ||
|
||
|
|
+ xa_metadata_size != required_metadata_size ||
|
||
|
|
+ memcmp (xa_metadata, required_metadata, xa_metadata_size) != 0)
|
||
|
|
{
|
||
|
|
g_set_error (error, G_IO_ERROR, G_IO_ERROR_PERMISSION_DENIED,
|
||
|
|
_("Commit metadata for %s not matching expected metadata"), ref);
|
||
|
|
@@ -5814,7 +5813,6 @@ flatpak_dir_pull (FlatpakDir *self,
|
||
|
|
ref,
|
||
|
|
(const char *)g_bytes_get_data (require_metadata, NULL),
|
||
|
|
g_bytes_get_size (require_metadata),
|
||
|
|
- TRUE,
|
||
|
|
error))
|
||
|
|
goto out;
|
||
|
|
}
|
||
|
|
@@ -8128,7 +8126,6 @@ flatpak_dir_deploy (FlatpakDir *self,
|
||
|
|
g_autoptr(GFile) metadata_file = NULL;
|
||
|
|
g_autofree char *metadata_contents = NULL;
|
||
|
|
gsize metadata_size = 0;
|
||
|
|
- gboolean is_oci;
|
||
|
|
|
||
|
|
if (!flatpak_dir_ensure_repo (self, cancellable, error))
|
||
|
|
return FALSE;
|
||
|
|
@@ -8353,12 +8350,9 @@ flatpak_dir_deploy (FlatpakDir *self,
|
||
|
|
/* Check the metadata in the commit to make sure it matches the actual
|
||
|
|
* deployed metadata, in case we relied on the one in the commit for
|
||
|
|
* a decision
|
||
|
|
- * Note: For historical reason we don't enforce commits to contain xa.metadata
|
||
|
|
- * since this was lacking in fedora builds.
|
||
|
|
*/
|
||
|
|
- is_oci = flatpak_dir_get_remote_oci (self, origin);
|
||
|
|
if (!validate_commit_metadata (commit_data, flatpak_decomposed_get_ref (ref),
|
||
|
|
- metadata_contents, metadata_size, !is_oci, error))
|
||
|
|
+ metadata_contents, metadata_size, error))
|
||
|
|
return FALSE;
|
||
|
|
|
||
|
|
dotref = g_file_resolve_relative_path (checkoutdir, "files/.ref");
|
||
|
|
--
|
||
|
|
2.27.0
|
||
|
|
|