Skip to content

Commit cc14010

Browse files
smcvalexlarsson
authored andcommitted
portal: Do not use caller-supplied variables in environment
If the caller specifies a variable that can be used to inject arbitrary code into processes, we must not allow it to enter the environment block used to run `flatpak run`, which runs unsandboxed. This change requires the previous commit "context: Add --env-fd option", which adds infrastructure used here. To be secure, this change also requires the previous commit "run: Convert all environment variables into bwrap arguments", which protects a non-setuid bwrap(1) from the same attack. Signed-off-by: Simon McVittie <smcv@collabora.com> Part-of: GHSA-4ppf-fxf6-vxg2
1 parent 39a5621 commit cc14010

File tree

1 file changed

+27
-1
lines changed

1 file changed

+27
-1
lines changed

Diff for: portal/flatpak-portal.c

+27-1
Original file line numberDiff line numberDiff line change
@@ -998,14 +998,40 @@ handle_spawn (PortalFlatpak *object,
998998
else
999999
env = g_get_environ ();
10001000

1001+
/* Let the environment variables given by the caller override the ones
1002+
* from extra_args. Don't add them to @env, because they are controlled
1003+
* by our caller, which might be trying to use them to inject code into
1004+
* flatpak(1); add them to the environment block instead.
1005+
*
1006+
* We don't use --env= here, so that if the values are something that
1007+
* should not be exposed to other uids, they can remain confidential. */
10011008
n_envs = g_variant_n_children (arg_envs);
10021009
for (i = 0; i < n_envs; i++)
10031010
{
10041011
const char *var = NULL;
10051012
const char *val = NULL;
10061013
g_variant_get_child (arg_envs, i, "{&s&s}", &var, &val);
10071014

1008-
env = g_environ_setenv (env, var, val, TRUE);
1015+
if (var[0] == '\0')
1016+
{
1017+
g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR,
1018+
G_DBUS_ERROR_INVALID_ARGS,
1019+
"Environment variable cannot have empty name");
1020+
return G_DBUS_METHOD_INVOCATION_HANDLED;
1021+
}
1022+
1023+
if (strchr (var, '=') != NULL)
1024+
{
1025+
g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR,
1026+
G_DBUS_ERROR_INVALID_ARGS,
1027+
"Environment variable name cannot contain '='");
1028+
return G_DBUS_METHOD_INVOCATION_HANDLED;
1029+
}
1030+
1031+
g_string_append (env_string, var);
1032+
g_string_append_c (env_string, '=');
1033+
g_string_append (env_string, val);
1034+
g_string_append_c (env_string, '\0');
10091035
}
10101036

10111037
g_ptr_array_add (flatpak_argv, g_strdup ("flatpak"));

0 commit comments

Comments
 (0)