mirror of
https://github.com/flatpak/flatpak.git
synced 2026-07-01 19:57:01 -04:00
When starting non-static command using bwrap use "--"
This ensures that the command is not taken to be a bwrap option. Resolves: CVE-2024-32462 Resolves: GHSA-phv6-cpc2-2fgj Signed-off-by: Alexander Larsson <alexl@redhat.com> [smcv: Fix DISABLE_SANDBOXED_TRIGGERS code path] [smcv: Make flatpak_run_maybe_start_dbus_proxy() more obviously correct] Signed-off-by: Simon McVittie <smcv@collabora.com>
This commit is contained in:
committed by
Simon McVittie
parent
c87d8b25c6
commit
81abe2a37d
@@ -587,7 +587,8 @@ flatpak_builtin_build (int argc, char **argv, GCancellable *cancellable, GError
|
||||
if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error))
|
||||
return FALSE;
|
||||
|
||||
flatpak_bwrap_add_args (bwrap, command, NULL);
|
||||
flatpak_bwrap_add_args (bwrap, "--", command, NULL);
|
||||
|
||||
flatpak_bwrap_append_argsv (bwrap,
|
||||
&argv[rest_argv_start + 2],
|
||||
rest_argc - 2);
|
||||
|
||||
@@ -6817,6 +6817,7 @@ flatpak_dir_run_triggers (FlatpakDir *self,
|
||||
"--proc", "/proc",
|
||||
"--dev", "/dev",
|
||||
"--bind", basedir, basedir,
|
||||
"--",
|
||||
NULL);
|
||||
#endif
|
||||
flatpak_bwrap_add_args (bwrap,
|
||||
|
||||
@@ -1266,6 +1266,9 @@ add_bwrap_wrapper (FlatpakBwrap *bwrap,
|
||||
if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error))
|
||||
return FALSE;
|
||||
|
||||
/* End of options: the next argument will be the executable name */
|
||||
flatpak_bwrap_add_arg (bwrap, "--");
|
||||
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
@@ -4635,7 +4638,7 @@ flatpak_run_app (FlatpakDecomposed *app_ref,
|
||||
if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error))
|
||||
return FALSE;
|
||||
|
||||
flatpak_bwrap_add_arg (bwrap, command);
|
||||
flatpak_bwrap_add_args (bwrap, "--", command, NULL);
|
||||
|
||||
if (!add_rest_args (bwrap, app_id,
|
||||
exports, (flags & FLATPAK_RUN_FLAG_FILE_FORWARDING) != 0,
|
||||
|
||||
Reference in New Issue
Block a user