Skip to content
Permalink
Browse files Browse the repository at this point in the history
portal: Do not use caller-supplied variables in environment
If the caller specifies a variable that can be used to inject arbitrary
code into processes, we must not allow it to enter the environment
block used to run `flatpak run`, which runs unsandboxed.

This change requires the previous commit "context: Add --env-fd option",
which adds infrastructure used here.

To be secure, this change also requires the previous commit
"run: Convert all environment variables into bwrap arguments", which
protects a non-setuid bwrap(1) from the same attack.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Part-of: GHSA-4ppf-fxf6-vxg2
  • Loading branch information
smcv authored and alexlarsson committed Jan 14, 2021
1 parent 39a5621 commit cc14010
Showing 1 changed file with 27 additions and 1 deletion.
28 changes: 27 additions & 1 deletion portal/flatpak-portal.c
Expand Up @@ -998,14 +998,40 @@ handle_spawn (PortalFlatpak *object,
else
env = g_get_environ ();

/* Let the environment variables given by the caller override the ones
* from extra_args. Don't add them to @env, because they are controlled
* by our caller, which might be trying to use them to inject code into
* flatpak(1); add them to the environment block instead.
*
* We don't use --env= here, so that if the values are something that
* should not be exposed to other uids, they can remain confidential. */
n_envs = g_variant_n_children (arg_envs);
for (i = 0; i < n_envs; i++)
{
const char *var = NULL;
const char *val = NULL;
g_variant_get_child (arg_envs, i, "{&s&s}", &var, &val);

env = g_environ_setenv (env, var, val, TRUE);
if (var[0] == '\0')
{
g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR,
G_DBUS_ERROR_INVALID_ARGS,
"Environment variable cannot have empty name");
return G_DBUS_METHOD_INVOCATION_HANDLED;
}

if (strchr (var, '=') != NULL)
{
g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR,
G_DBUS_ERROR_INVALID_ARGS,
"Environment variable name cannot contain '='");
return G_DBUS_METHOD_INVOCATION_HANDLED;
}

g_string_append (env_string, var);
g_string_append_c (env_string, '=');
g_string_append (env_string, val);
g_string_append_c (env_string, '\0');
}

g_ptr_array_add (flatpak_argv, g_strdup ("flatpak"));
Expand Down

0 comments on commit cc14010

Please sign in to comment.