New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security Issue: Exposure of sensitive function, malicious user can arbitrary command via an execute_command d-bus method. #1796
Comments
|
And also execute_command_by_uuid is affected. |
Highlighted in Guake#1796. These changes orphan the execute_command_by_uuid() method, but the method can probably still be used elsewhere.
Highlighted in Guake#1796. Also removed comments that won't be true or relevant with this change. These changes orphan the execute_command_by_uuid() method, but the method can probably still be used elsewhere.
Highlighted in #1796. Also removed comments that won't be true or relevant with this change. These changes orphan the execute_command_by_uuid() method, but the method can probably still be used elsewhere.
|
Hi, it is nice, that you fix a potential security issue, but is there any concept for keeping the |
|
Only the dbus call has been disconnected, -e is still a flag |
Describe the bug
We understand that the usability of
-eoption. (#720)BTW, it must not be exposured in d-bus interfaces.
Expected behavior
guake must not exposure execute_command in d-bus interfaces.
Do not exposure execute_command in d-bus interface.
Actual behavior
guake exposure execute_command in d-bus interface.
To Reproduce
We can use gdbus to call an execute_command d-bus method.
cc. @bbb1g
The text was updated successfully, but these errors were encountered: