Of the 27 instances where ostree_repo_remote_get_url() is used, these
are the only ones where the return value is ignored. This triggers
Coverity.
It might not always be strictly necessary to handle the errors, but
doing so can only help with debugging. However, in the case of
flatpak_dir_get_remote_disabled() this clarifies the subtle difference
between an empty URL (ie., ""), and a NULL URL caused by a corrupt
configuration file or a missing "url" key.
This was not a typo for "located": the daemon is systemd-localed,
or localed for short.
Fixes: bb549168 "fix: cross typos, detail below"
Signed-off-by: Simon McVittie <smcv@collabora.com>
We would get a reference to the old permission, then free it, and then
insert the freed pointer into the new hashtable again.
Closes: #6524
Fixes: 6667e1d3 ("context: Use the new permission system for shares and features")
OpenScanHub [1] triggered this and flagged it as CWE-476 [2]:
app/flatpak-builtins-document-unexport.c:90:7:
warning[-Wanalyzer-null-dereference]: dereference of NULL ‘doc_id’
app/flatpak-builtins-document-unexport.c:48:1: enter_function: entry
to ‘flatpak_builtin_document_unexport’
app/flatpak-builtins-document-unexport.c:56:20: release_memory:
‘doc_id’ is NULL
app/flatpak-builtins-document-unexport.c:61:6: branch_false: following
‘false’ branch...
app/flatpak-builtins-document-unexport.c:66:7: branch_false: ...to
here
app/flatpak-builtins-document-unexport.c:66:6: branch_false: following
‘false’ branch...
app/flatpak-builtins-document-unexport.c:69:6: branch_false: ...to
here
app/flatpak-builtins-document-unexport.c:69:6: branch_false: following
‘false’ branch...
app/flatpak-builtins-document-unexport.c:72:3: branch_false: ...to
here
app/flatpak-builtins-document-unexport.c:75:6: branch_false: following
‘false’ branch...
app/flatpak-builtins-document-unexport.c:78:15: branch_false: ...to
here
app/flatpak-builtins-document-unexport.c:82:6: branch_false: following
‘false’ branch...
app/flatpak-builtins-document-unexport.c:85:7: branch_false: ...to
here
app/flatpak-builtins-document-unexport.c:85:6: branch_true: following
‘true’ branch...
app/flatpak-builtins-document-unexport.c:86:14: call_function: inlined
call to ‘g_strdup_inline’ from ‘flatpak_builtin_document_unexport’
app/flatpak-builtins-document-unexport.c:90:7: release_memory:
‘doc_id’ is NULL
app/flatpak-builtins-document-unexport.c:90:7: danger: dereference of
NULL ‘doc_id’
# 88| return FALSE;
# 89|
# 90|-> if (strcmp (doc_id, "") == 0)
# 91| {
# 92| g_print (_("Not exported\n"));
Add an assertion to express that 'doc_id' can't be NULL unless there's a
programmer error.
Spotted by Siteshwar Vashisht.
[1] https://openscanhub.dev/
[2] https://cwe.mitre.org/data/definitions/476.html
OpenScanHub [1] triggered this and flagged it as CWE-688 [2]:
common/flatpak-appdata.c:298:7: warning[-Wanalyzer-null-argument]: use
of NULL ‘parent’ where non-null expected
common/flatpak-appdata.c:282:6: branch_false: following ‘false’
branch...
common/flatpak-appdata.c:285:3: branch_false: ...to here
common/flatpak-appdata.c:285:3: branch_true: following ‘true’
branch...
common/flatpak-appdata.c:287:15: branch_true: ...to here
common/flatpak-appdata.c:289:6: branch_false: following ‘false’
branch...
common/flatpak-appdata.c:297:7: branch_false: ...to here
common/flatpak-appdata.c:297:6: branch_true: following ‘true’ branch
(when the strings are equal)...
common/flatpak-appdata.c:298:7: branch_true: ...to here
common/flatpak-appdata.c:298:7: danger: argument 1 (‘parent’) NULL
where non-null expected
# 296| /* avoid picking up <id> elements from e.g. <provides> */
# 297| if (g_str_equal (element_name, "id") &&
# 298|-> g_str_equal (parent, "component"))
# 299| {
# 300| component->id = g_steal_pointer (&text);
The parsing code doesn't throw any errors from G_MARKUP_ERROR. It
expects the input to be valid, and relies on assertions to express that.
eg., it asserts that a <component> element or tag is encountered before
any other, and particularly <content_attribute>, <content_rating> and
<release>.
In the same vein, an assertion was added to express that an <id> element
or tag always has a parent.
Spotted by Siteshwar Vashisht.
[1] https://openscanhub.dev/
[2] https://cwe.mitre.org/data/definitions/688.html
Use opt_noninteractive instead of hardcoded values so AppStream
refresh is quiet only when --noninteractive is specified. This allows
to show a better messsage instead of repeating and makes the errors
visible as well.
Related: #5716
Replace the "Nothing to do" message with "Nothing to update." when no
refs have updates available which is slightly clearer.
Fixes: #5716
Co-authored-by: Patrick <github.calorie764@passmail.net>
Co-authored-by: bbhtt <bbhtt.zn0i8@slmail.me>
The fedora selinux-policy (and therefor also the openSUSE one)
has a named file transition that relabels folders in ~/.local/share/
with the type `systemd_home_t` when they are called "systemd".
This is unfortunate as this means it will also relabel the
directory under `.local/share/flatpak/.*/systemd`, as it matches
the directory name.
As the systemd filetrans looks valid and it is a shortcoming
of SELinux in general, this is the easiest fix that would
make the folders below .local/share/flatpak not be labelled
incorrectly i would say.
Additionally, this will need a fix in the main selinux-policy.
What happens if we don't fix it?
- Users will have some of the files in .local/share/flatpak
pop up when running `restorecon` which might confuse them
- At least in regular targeted mode, it will likely not make
an impact in the sense that some access gets denied, so it just
"looks ugly"
Reproducer openSUSE Tumbleweed:
```
$ rm -rf ~/.local/share/flatpak
$ flatpak remote-add --user --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
$ flatpak install --user flathub org.gnome.Builder
$ restorecon -Rvn ~/.local/share/flatpak
...
Would relabel /home/<user>/.local/share/flatpak/app/org.gnome.Builder/x86_64/stable/327753f4701dbb9046bfb0c0c9c05b16edea0fbd8df7f368525c461d8d30b5a4/files/lib/systemd from unconfined_u:object_r:systemd_home_t:s0 to unconfined_u:object_r:data_home_t:s0
...
```
Since this bug can be reproduced on Ubuntu, Debian, and Fedora, we should set `FLATPAK_FORCE_TEXT_AUTH=1` for all WSL users instead of ignoring its existence. After all, the so-called `graphical prompt` in the flatpak documentation seems to be something unique to GNOME. `WSL_DISTRO_NAME` and `WSL_INTEROP` are both located at https://github.com/microsoft/WSL/blob/master/src/linux/init/util.h .
Several glibc functions now return a const pointer if the input is a const pointer and a non-const pointer if the input is non-const, causing a build failure.
Fix this by declaring the output pointers as const if they are never modified and for the lone failure where the output is modified instead make the input non-const.
What I did
Repository rules / “don’t edit” areas
From CONTRIBUTING.md and subprojects/README.md, subprojects/ contains vendored/submodule/copylib code (bubblewrap, libglnx, dbus-proxy, variant-schema-compiler). I treated subprojects/ as third-party and excluded it from typo fixing.
You already skip po/ (translations) and node_modules/, and I kept those exclusions.
Typos fixed (project-owned files only)
I ran codespell with write mode and exclusions, and fixed the reported typos across:
NEWS
app/…
common/…
doc/…
tests/…
session-helper/…
portal/…
data/…
Then I handled the remaining items individually:
NEWS: thse -> these
common/flatpak-utils-private.h: Thse -> These
app/flatpak-polkit-agent-text-listener.c: identies -> identities
tests/test-auth.sh: Propertly -> Properly
tests/testlibrary.c: remore -> remote
common/flatpak-transaction.c: improved wording to avoid the xwindows typo (X11 window ID)
Added .codespellrc
Created .codespellrc:
skip: node_modules,po,subprojects
ignore-regex: .*(ratatui|Affinitized|affinitized).*
ignore-words-list: nd,ot,THUR,IST,fo,hel,bu
(these were confirmed as legitimate tokens/abbreviations/namespace prefix/test strings in this repo, so they should not be “fixed”)
Verification:
codespell --config .codespellrc . now exits clean.
Signed-off-by: rezky_nightky <with.rezky@gmail.com>
While the arguments for --filesystem permissions either have to come
from a privileged source, or from the manifest which is supposed to be
checked by the remote, it was decided that paths are not allowed to move
up (..) a directory.
The check for this was both too complicated, and not sufficient, because
the special directories (e.g. xdg-download) might contain only a single
slash (xdg-download/..) and move one directory up.
If the command calling `flatpak build` has already specified a
font-dirs.xml to map, then mapping in again may break (as exemplified in
Builder and Foundry).
This checks to see if an argument has already been mapped in before doing
so and resolves the issue with Builder/Foundry.
Follow-up to !6138Fixes: GNOME/gnome-builder#2387
In the following usages, the "Install:" and "Download:" strings were used as a short form
of the "Download Size" and "Installed Size", which makes translation tricky.
Therefore, using the normal forms will be good from the translation side.
Since commit d10e1148 "Add initial support for preinstalling flatpaks",
the test suite sets FLATPAK_DATA_DIR to a temporary directory, both
while running uninstalled and as-installed.
While running uninstalled we already set FLATPAK_TRIGGERSDIR to the
trigger scripts in the source tree, but when running "as-installed",
we need to run the triggers that the OS installs as part of the flatpak
package (or equivalent).
Not having this caused autopkgtests (automated as-installed tests) in
Debian to regress with 1.17.x.
Fixes: d10e1148 "Add initial support for preinstalling flatpaks"
Signed-off-by: Simon McVittie <smcv@debian.org>
Github supports immutable releases. They can't be changed once
published. This is great, but the release action was broken and created
an immutable release, published it, and then tried to upload the dist
artifacts.
Upgrade to the latest version and explicitly create an immutable
release. In this version, the release action creates a draft release,
uploads the dist artifacts, and then publishes it.
This gives us conditionals for shares and features. So far we have no
use case for this, but the system already exists, it makes the code
simpler, and when we need this in the future, we don't have to wait for
it to roll out.
For device and socket the negated versions are nodevice and nosocket,
but for shares, the strings are allow and disallow. Take arguments for
both forms.
Allow specifying a lookside URL for downloading signatures for
an OCI remote. This can be specified:
In a .repofile with the SignatureLookaside key
As the --signature-lookaside option to remote-add/remote-modify
FlatpakOciSignature was a Flatpak-specific analog to
the containers/image "simple signatures" - but it wasn't used at
all, and Flatpaks on registry.redhat.io are signed by the
original simple signatures. So modify it correspond to
the original simple signatures.
