From 55e26c296fd14129b30c821044764f29e8267670 Mon Sep 17 00:00:00 2001
From: "Jan Alexander Steffens (heftig)" <jan.steffens@gmail.com>
Date: Mon, 20 Jun 2016 23:10:48 +0200
Subject: [PATCH 1/2] system-helper: Reorder flatpak_authorize_method_handler

Reduces code duplication.
---
 system-helper/flatpak-system-helper.c | 91 +++++----------------------
 1 file changed, 14 insertions(+), 77 deletions(-)

diff --git a/system-helper/flatpak-system-helper.c b/system-helper/flatpak-system-helper.c
index 2098cca9..0f5ef97b 100644
--- a/system-helper/flatpak-system-helper.c
+++ b/system-helper/flatpak-system-helper.c
@@ -512,28 +512,17 @@ flatpak_authorize_method_handler (GDBusInterfaceSkeleton *interface,
                                   GDBusMethodInvocation  *invocation,
                                   gpointer                user_data)
 {
-  const gchar *method_name;
-  GVariant *parameters;
-  gboolean authorized;
-  const gchar *sender;
-  const gchar *action;
+  const gchar *method_name = g_dbus_method_invocation_get_method_name (invocation);
+  const gchar *sender = g_dbus_method_invocation_get_sender (invocation);
+  GVariant *parameters = g_dbus_method_invocation_get_parameters (invocation);
+  g_autoptr(AutoPolkitSubject) subject = polkit_system_bus_name_new (sender);
+  g_autoptr(AutoPolkitDetails) details = polkit_details_new ();
+  const gchar *action = NULL;
+  gboolean authorized = FALSE;
 
   /* Ensure we don't idle exit */
   schedule_idle_callback ();
 
-  g_autoptr(AutoPolkitSubject) subject = NULL;
-  g_autoptr(AutoPolkitDetails) details = NULL;
-  g_autoptr(GError) error = NULL;
-  g_autoptr(AutoPolkitAuthorizationResult) result = NULL;
-
-  authorized = FALSE;
-
-  method_name = g_dbus_method_invocation_get_method_name (invocation);
-  parameters = g_dbus_method_invocation_get_parameters (invocation);
-
-  sender = g_dbus_method_invocation_get_sender (invocation);
-  subject = polkit_system_bus_name_new (sender);
-
   if (on_session_bus)
     {
       /* This is test code, make sure it never runs with privileges */
@@ -547,8 +536,7 @@ flatpak_authorize_method_handler (GDBusInterfaceSkeleton *interface,
     {
       const char *ref, *origin;
       guint32 flags;
-      gboolean is_update;
-      gboolean is_app;
+      gboolean is_update, is_app;
 
       g_variant_get_child (parameters, 1, "u", &flags);
       g_variant_get_child (parameters, 2, "&s", &ref);
@@ -572,22 +560,8 @@ flatpak_authorize_method_handler (GDBusInterfaceSkeleton *interface,
             action = "org.freedesktop.Flatpak.runtime-install";
         }
 
-      details = polkit_details_new ();
       polkit_details_insert (details, "origin", origin);
       polkit_details_insert (details, "ref", ref);
-
-      result = polkit_authority_check_authorization_sync (authority, subject,
-                                                          action, details,
-                                                          POLKIT_CHECK_AUTHORIZATION_FLAGS_ALLOW_USER_INTERACTION,
-                                                          NULL, &error);
-      if (result == NULL)
-        {
-          g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR, G_DBUS_ERROR_FAILED,
-                                                 "Authorization error: %s", error->message);
-          return FALSE;
-        }
-
-      authorized = polkit_authorization_result_get_is_authorized (result);
     }
   else if (g_strcmp0 (method_name, "DeployAppstream") == 0)
     {
@@ -598,22 +572,8 @@ flatpak_authorize_method_handler (GDBusInterfaceSkeleton *interface,
 
       action = "org.freedesktop.Flatpak.appstream-update";
 
-      details = polkit_details_new ();
       polkit_details_insert (details, "origin", origin);
       polkit_details_insert (details, "arch", arch);
-
-      result = polkit_authority_check_authorization_sync (authority, subject,
-                                                          action, details,
-                                                          POLKIT_CHECK_AUTHORIZATION_FLAGS_ALLOW_USER_INTERACTION,
-                                                          NULL, &error);
-      if (result == NULL)
-        {
-          g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR, G_DBUS_ERROR_FAILED,
-                                                 "Authorization error: %s", error->message);
-          return FALSE;
-        }
-
-      authorized = polkit_authorization_result_get_is_authorized (result);
     }
   else if (g_strcmp0 (method_name, "InstallBundle") == 0)
     {
@@ -623,21 +583,7 @@ flatpak_authorize_method_handler (GDBusInterfaceSkeleton *interface,
 
       action = "org.freedesktop.Flatpak.install-bundle";
 
-      details = polkit_details_new ();
       polkit_details_insert (details, "path", path);
-
-      result = polkit_authority_check_authorization_sync (authority, subject,
-                                                          action, details,
-                                                          POLKIT_CHECK_AUTHORIZATION_FLAGS_ALLOW_USER_INTERACTION,
-                                                          NULL, &error);
-      if (result == NULL)
-        {
-          g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR, G_DBUS_ERROR_FAILED,
-                                                 "Authorization error: %s", error->message);
-          return FALSE;
-        }
-
-      authorized = polkit_authorization_result_get_is_authorized (result);
     }
   else if (g_strcmp0 (method_name, "Uninstall") == 0)
     {
@@ -652,21 +598,7 @@ flatpak_authorize_method_handler (GDBusInterfaceSkeleton *interface,
       else
         action = "org.freedesktop.Flatpak.runtime-uninstall";
 
-      details = polkit_details_new ();
       polkit_details_insert (details, "ref", ref);
-
-      result = polkit_authority_check_authorization_sync (authority, subject,
-                                                          action, details,
-                                                          POLKIT_CHECK_AUTHORIZATION_FLAGS_ALLOW_USER_INTERACTION,
-                                                          NULL, &error);
-      if (result == NULL)
-        {
-          g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR, G_DBUS_ERROR_FAILED,
-                                                 "Authorization error: %s", error->message);
-          return FALSE;
-        }
-
-      authorized = polkit_authorization_result_get_is_authorized (result);
     }
   else if (g_strcmp0 (method_name, "ConfigureRemote") == 0)
     {
@@ -676,8 +608,13 @@ flatpak_authorize_method_handler (GDBusInterfaceSkeleton *interface,
 
       action = "org.freedesktop.Flatpak.configure-remote";
 
-      details = polkit_details_new ();
       polkit_details_insert (details, "remote", remote);
+    }
+
+  if (action)
+    {
+      g_autoptr(AutoPolkitAuthorizationResult) result;
+      g_autoptr(GError) error = NULL;
 
       result = polkit_authority_check_authorization_sync (authority, subject,
                                                           action, details,

From 599f8b963d3288460894c19ce1403266b8a67439 Mon Sep 17 00:00:00 2001
From: "Jan Alexander Steffens (heftig)" <jan.steffens@gmail.com>
Date: Mon, 20 Jun 2016 23:42:19 +0200
Subject: [PATCH 2/2] system-handler: Don't leak path string

Without &, ^ay dups the string.
---
 system-helper/flatpak-system-helper.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/system-helper/flatpak-system-helper.c b/system-helper/flatpak-system-helper.c
index 0f5ef97b..476d1a43 100644
--- a/system-helper/flatpak-system-helper.c
+++ b/system-helper/flatpak-system-helper.c
@@ -579,7 +579,7 @@ flatpak_authorize_method_handler (GDBusInterfaceSkeleton *interface,
     {
       const char *path;
 
-      g_variant_get_child (parameters, 0, "^ay", &path);
+      g_variant_get_child (parameters, 0, "^&ay", &path);
 
       action = "org.freedesktop.Flatpak.install-bundle";