portal: validate arguments better

Portals need to validate all their arguments. We were not validating flags at all, and were not very careful with some of the other arguments either. Closes: #2439 Approved by: alexlarsson
2026-02-06 22:11:32 -05:00 · 2018-12-16 14:29:05 -05:00
parent 07a0fd2811
commit f53ef41032
2 changed files with 41 additions and 21 deletions
--- a/portal/flatpak-portal.c
+++ b/portal/flatpak-portal.c
@@ -329,9 +329,45 @@ handle_spawn (PortalFlatpak         *object,
                                  FLATPAK_METADATA_GROUP_APPLICATION,
                                  FLATPAK_METADATA_KEY_NAME, NULL);
  g_assert (app_id != NULL);
+
+  g_debug ("spawn() called from app: '%s'", app_id);
+  if (*app_id == 0)
+    {
+      g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR,
+                                             G_DBUS_ERROR_INVALID_ARGS,
+                                             "org.freedesktop.portal.Flatpak.Spawn only works in a flatpak");
+      return TRUE;
+    }
+
+
+  if (*arg_cwd_path == 0)
+    arg_cwd_path = NULL;
+
+  if (arg_argv == NULL || *arg_argv == NULL)
+    {
+      g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR,
+                                             G_DBUS_ERROR_INVALID_ARGS,
+                                             "No command given");
+      return TRUE;
+    }
+
+  if ((arg_flags & ~FLATPAK_SPAWN_FLAGS_ALL) != 0)
+    {
+      g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR, G_DBUS_ERROR_INVALID_ARGS,
+                                             "Unsupported flags enabled: 0x%x", arg_flags & ~FLATPAK_SPAWN_FLAGS_ALL);
+      return TRUE;
+    }
+
  runtime_ref = g_key_file_get_string (app_info,
                                       FLATPAK_METADATA_GROUP_APPLICATION,
                                       FLATPAK_METADATA_KEY_RUNTIME, NULL);
+  if (runtime_ref == NULL)
+    {
+      g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR, G_DBUS_ERROR_INVALID_ARGS,
+                                             "No runtime found");
+      return TRUE;
+    }
+
  runtime_parts = g_strsplit (runtime_ref, "/", -1);

  branch = g_key_file_get_string (app_info,
@@ -355,27 +391,6 @@ handle_spawn (PortalFlatpak         *object,
  shares = g_key_file_get_string_list (app_info, FLATPAK_METADATA_GROUP_CONTEXT,
                                       FLATPAK_METADATA_KEY_SHARED, NULL, NULL);

-  g_debug ("spawn() called from app: %s", app_id);
-
-  if (*app_id == 0)
-    {
-      g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR,
-                                             G_DBUS_ERROR_INVALID_ARGS,
-                                             "org.freedesktop.portal.Flatpak.Spawn only works in a flatpak");
-      return TRUE;
-    }
-
-  if (*arg_cwd_path == 0)
-    arg_cwd_path = NULL;
-
-  if (arg_argv == NULL || *arg_argv == NULL)
-    {
-      g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR,
-                                             G_DBUS_ERROR_INVALID_ARGS,
-                                             "No command given");
-      return TRUE;
-    }
-
  g_variant_lookup (arg_options, "sandbox-expose", "^as", &sandbox_expose);
  g_variant_lookup (arg_options, "sandbox-expose-ro", "^as", &sandbox_expose_ro);

--- a/portal/flatpak-portal.h
+++ b/portal/flatpak-portal.h
@@ -28,4 +28,9 @@ typedef enum {
  FLATPAK_SPAWN_FLAGS_NO_NETWORK = 1 << 3,
 } FlatpakSpawnFlags;

+#define FLATPAK_SPAWN_FLAGS_ALL (FLATPAK_SPAWN_FLAGS_CLEAR_ENV | \
+                                 FLATPAK_SPAWN_FLAGS_LATEST_VERSION | \
+                                 FLATPAK_SPAWN_FLAGS_SANDBOX | \
+                                 FLATPAK_SPAWN_FLAGS_NO_NETWORK)
+
 #endif /* __FLATPAK_PORTAL_H__ */