This ensures that the command is not taken to be a bwrap option.
Resolves: CVE-2024-32462
Resolves: GHSA-phv6-cpc2-2fgj
Signed-off-by: Alexander Larsson <alexl@redhat.com>
[smcv: Fix DISABLE_SANDBOXED_TRIGGERS code path]
[smcv: Make flatpak_run_maybe_start_dbus_proxy() more obviously correct]
Signed-off-by: Simon McVittie <smcv@collabora.com>
Use architecture instead of id in call to
flatpak_dir_load_appstream_store ().
Without this, remote-info does not show AppStream metadata.
Fixes: adb3b61f "decomposed: Return FlatpakDecomposed from flatpak_dir_find_remote_ref()"
(cherry picked from commit 02bef871c0)
Our only code that is conditional on the libappstream version wants
version 0.14.0, which conveniently is exactly the version that
introduced AS_CHECK_VERSION.
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 556984e1c1)
rest_argv_start is initialized whenever rest_argc != 0, so the previous
code was in fact safe; but this wasn't obvious to either a human reader
or the compiler, and some gcc versions warn here.
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 0e3e646839)
This prevents someone from placing special characters in order to
manipulate the appearance of the permissions list.
CVE-2023-28101, GHSA-h43h-fwqx-mpp8
Signed-off-by: Ryan Gonzalez <ryan.gonzalez@collabora.com>
Conceptually similar to the previous commit, except it didn't crash
before, just didn't display anything.
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 628750d2de)
flatpak_dir_load_deployed() can fail and return NULL. If that happens,
there is a semi-installed but broken app, and we should show a warning
rather than crashing.
Resolves: https://github.com/flatpak/flatpak/issues/5293
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 5e2e771ece)
This makes us consistent with the default behaviour of GLib, and
its behaviour with G_MESSAGES_DEBUG=all. g_debug() and g_info() are
the two lowest priority levels, and GLib normally silences them by
default.
At the moment, Flatpak uses G_LOG_LEVEL_DEBUG in the flatpak2 domain
as its lowest-priority log level (only shown with flatpak -v -v), and
G_LOG_LEVEL_DEBUG in the flatpak domain as its second-lowest
(shown with flatpak -v or higher). I want to move towards using
G_LOG_LEVEL_INFO for flatpak -v messages, and G_LOG_LEVEL_DEBUG for
flapak -v -v, so that we don't need a second log domain: this is a
policy I've used successfully in Flatpak-derived Steam Runtime code.
This change does not fully implement that policy, but gives us a
migration path towards it, by allowing us to start using g_info() for
flatpak -v messages.
Helps: https://github.com/flatpak/flatpak/issues/5001
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit ac4e322629)
(flatpak documents:2965757): GLib-CRITICAL **: 11:27:35.128: g_variant_iter_next_value: must not be called again after NULL has already been returned.
This is due to the applications iterator being checked twice even though it is empty.
(cherry picked from commit b204ed2466)
To make indentation work with less effort. The modeline was copied from
libostree with minor modification and the .editorconfig from GLib.
The advantage of having both a modeline and an editorconfig is we can
work out of the box on more editor setups, and the modeline allows us to
specify the style with a lot more fine grained control.
Save folks a few keystrokes. There is a command which already has a '-u'
option, document-export, but it doesn't support --user so there should
be no conflict. However '-s' is used by the info command among others,
so we can't use that for --system.
Now that we're using the same display number in the sandbox as on the
host, we can forget about overwriting it with :99.
Signed-off-by: Simon McVittie <smcv@collabora.com>
The Desktop Entry spec says that Exec= is only required if
DBusActivatable= is not set to true, so don't emit a warning when Exec=
is missing but not required.
The docs for g_spawn_sync() say:
"Note that you must set the G_SPAWN_STDOUT_TO_DEV_NULL and
G_SPAWN_STDERR_TO_DEV_NULL flags when passing NULL for standard_output
and standard_error."
So add in the stdout flag when calling flatpak-validate-icon in the
build-export command. Without this, there's output in the test logs
from when they're building the test app, due to
https://github.com/flatpak/flatpak/pull/4803
As with the previous commits, try not to split translatable sentences.
See the discussion here about whether the "Warning: "/"Error: " prefix
should be separable:
https://github.com/flatpak/flatpak/pull/4963#discussion_r908326539
Also, don't translate the "(internal error..." message since internal
errors shouldn't be translated to make debugging easier.
It doesn't make a lot of sense to prompt for confirmation when an in-use
extension is requested to be uninstalled, but not do so for an in-use
runtime, even if (or perhaps especially since) the latter causes the
transaction to fail later on.
Use a "Info: " prefix which matches the message printed in
print_eol_info_message(). Also make the message accurately use either
the word "runtime" or "extension" as appropriate.
Based on discussions on the issue tracker, it seems that users sometimes
remove runtime extensions without really understanding whether they're
in use. Add a confirmation prompt to address this.
Helps: #4549
flatpak_dir_list_app_refs_with_runtime_extension() only works when the
runtime extension it is passed and the apps it returns are both
installed. Sometimes a end-of-life message is printed for a runtime that
is not installed but is being installed by the current transaction, or a
runtime that is installed but one of the apps that needs it is being
installed by the current transaction. To cover these cases, check the
operations in the current transaction when building informational
messages about EOL runtimes.
Currently if a runtime extension, e.g.
org.freedesktop.Platform.html5-codecs//18.08 is used by a runtime
org.kde.Platform//5.12 which itself is used by one or more apps, when we
print a message to the user about html5-codecs being EOL, we don't find
any apps using it and don't print any. Fix this by including apps that
indirectly use a runtime extension in the "Applications using this
runtime:" list.
In a later commit we can re-use the helper function added here to add a
confirmation dialog if the user tries to remove a runtime extension
that's being used; currently we just let them remove it.
This is limited to only looking in the current flatpak installation, so
a per-user app using a system-wide runtime extension would not be found.
This is implemented using in-memory caches because otherwise it is
horribly slow; see
https://github.com/flatpak/flatpak/pull/4835#discussion_r876425289
Helps: #3531
This looks better in case there are warnings or info messages printed
during the update operation, since those are separated from each other
by newlines (at least the EOL ones).
In the tests we don't use a systemwide helper anyway, so the polkit
stuff is unnecessary. Also, for some reason this was taking a very
long time for me, causing the tests to be super slow.
This makes it a lot easier to give guidance on using `flatpak run -d` or
`flatpak-coredumpctl`, because there's an easy way to install the
relevant refs.
Signed-off-by: Ryan Gonzalez <ryan.gonzalez@collabora.com>
As discussed in #4848, this disables fuzzy matching entirely if stdin or
stdout is not a tty, meaning that something like "flatpak install
firefox" would be treated as incorrect syntax, since this syntax is
intended for interactive CLI use. Even before this commit, "flatpak
install firefox" would error out if run without a tty, since we don't
automatically choose a matching app ID even if there is only one match.
However "flatpak install -y firefox" could work before, but won't any
more. People should be specifying the full app ID in any context other
than a tty.
This commit also introduces a new env var so the unit tests can continue
to check the fuzzy matching behavior, despite them being run without a
tty.
As discussed in #4848, this disables fuzzy matching when the string
given has a period in it. So for example "flatpak install org.mozilla"
would not offer "org.mozilla.firefox" even though the string given is a
substring of the app ID. This is desirable because it helps ensure fuzzy
matching is only used when the user intended to use it.
As with the previous commit that fixed#4829, this does technically
break backwards compatibility, but only in an interface intended for
interactive use by a human, not an interface that's used
programmatically, so it seems okay.
The "*unspecified*" bits are ugly, and the ref/arch/branch syntax is
especially confusing when we're doing fuzzy matching, since it implies
the id was searched for exactly.
Currently if you specify one non-existent ref to the uninstall command,
it exits with a non-zero status:
$ flatpak uninstall notaflatpak
error: notaflatpak/*unspecified*/*unspecified* not installed
...but if you specify more than one non-existent ref you get warnings
for each and a zero exit status:
$ flatpak uninstall notaflatpak alsonot
Warning: notaflatpak is not installed
Warning: alsonot is not installed
So make the latter case error out like the former.
Recent Meson versions have warnings if you add the subprojects
directory as an include path, because the way Meson wants to consume
subprojects is by the subproject's build system producing a Meson
dependency object that encapsulates its include directory. Flatpak
doesn't have a Meson build system yet, but I'm working on that.
libglnx seems to be set up to have the libglnx directory be its include
path instead: for example, ostree (by the author of libglnx) already
uses "libglnx.h" or <libglnx.h> everywhere. Do the same here.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Currently, when using the sideloading support for offline updates, there
are two types of directories that are interesting: an ostree repo
directory on a directory that was passed to `flatpak create-usb`. By
default the latter has a repo at the subpath ".ostree/repo", and if a
custom destination was specified with "--destination-repo", a symlink is
created pointing to it in ".ostree/repos.d".
Currently Flatpak supports either repos or create-usb dirs in the
`sideload-repos` directory in either the Flatpak installation or
`/run/flatpak` (see flatpak(1)), but only supports repo directories
being passed to "--sideload-repo" for the install and update commands.
This is pretty confusing and actually made me think the sideload support
was broken because I forgot about this limitation. So change things so
we can accept either type of directory specified either way: via option
or via the "sideload-repos" directories.
I've tested all of the following cases:
- pointing to a repo with --sideload-repo
- pointing to a create-usb dir with --sideload-repo
- linking to a repo in ~/.local/share/flatpak/sideload-repos
- linking to a create-usb dir in ~/.local/share/flatpak/sideload-repos
- pulling from a sideload repo when online as a performance improvement
