Sophie: gvfs-1.32.1-1.2.mga6 src

gvfs-1.32.1-1.2.mga6.src.rpm

From a0da5f16feda323c29850c495acd86dfc8fbb262 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Wed, 5 Jun 2019 13:36:52 +0100
Subject: [PATCH] gvfsdaemon: Only accept EXTERNAL authentication

EXTERNAL is the mechanism recommended in the D-Bus Specification for
all platforms where it is supported (including Linux, *BSD, Solaris
and Hurd), and is the only mechanism allowed by the session or system
dbus-daemon in their default configurations. It is considerably simpler
than DBUS_COOKIE_SHA1 and relies on fewer assumptions.

Signed-off-by: Simon McVittie <smcv@collabora.com>
---
 daemon/gvfsdaemon.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

Index: gvfs-1.40.1/daemon/gvfsdaemon.c
===================================================================
--- gvfs-1.40.1.orig/daemon/gvfsdaemon.c	2019-07-05 08:31:49.109052732 -0400
+++ gvfs-1.40.1/daemon/gvfsdaemon.c	2019-07-05 08:31:49.105052716 -0400
@@ -241,6 +241,22 @@ name_vanished_handler (GDBusConnection *
 }
 
 /*
+ * Authentication observer signal handler that rejects all authentication
+ * mechanisms except for EXTERNAL (credentials-passing), which is the
+ * recommended authentication mechanism for AF_UNIX sockets.
+ */
+static gboolean
+allow_mechanism_cb (GDBusAuthObserver *observer,
+                    const gchar *mechanism,
+                    G_GNUC_UNUSED gpointer user_data)
+{
+  if (g_strcmp0 (mechanism, "EXTERNAL") == 0)
+    return TRUE;
+
+  return FALSE;
+}
+
+/*
  * Authentication observer signal handler that authorizes connections
  * from the same uid as this process. This matches the behaviour of a
  * libdbus DBusServer/DBusConnection when no DBusAllowUnixUserFunction
@@ -299,6 +315,7 @@ g_vfs_daemon_init (GVfsDaemon *daemon)
   daemon->conn = g_bus_get_sync (G_BUS_TYPE_SESSION, NULL, NULL);
   g_assert (daemon->conn != NULL);
   daemon->auth_observer = g_dbus_auth_observer_new ();
+  g_signal_connect (daemon->auth_observer, "allow-mechanism", G_CALLBACK (allow_mechanism_cb), NULL);
   g_signal_connect (daemon->auth_observer, "authorize-authenticated-peer", G_CALLBACK (authorize_authenticated_peer_cb), NULL);
 
   daemon->daemon_skeleton = gvfs_dbus_daemon_skeleton_new ();