mirror of https://github.com/flatpak/flatpak.git synced 2026-03-26 19:04:56 -04:00

Go to file

Debarshi Ray 52d10816c7 completion: Avoid buffer overrun with strings having too many elements

Here are some strings representing valid refs:
  app/org.test.App/x86_64/stable - full ref
  org.test.App/x86_64/stable - full ref without prefix
  org.test.App - only app ID
  org.test.App/x86_64 - only app ID and arch
  org.test.App//stable - only app ID and branch

Therefore, if a ref's prefix (ie., 'app/' or 'runtime/) is skipped,
then there can only be a maximum of 3 other elements in it.

Right now, it's possible for find_current_element() to return a count
of 4, if the string being completed is invalid and has some extra
elements or slashes in it.  This count is later used to index the
cur_parts array which only has 4 elements in it.  This opens up the
possibility of a buffer overrun.

Invalid strings with extra elements or slashes can't be further
completed because none of the existing refs will match them.
Therefore, such strings should be outright skipped.

For the rest of the valid strings, the exact intended branch name is
never known, because the branch element doesn't have a trailing slash
and hence appears to be a prefix.  Therefore, it's not possible to use
the branch to find a list of existing refs that could possibly
complete the string.

Fallout from 7018717ce2

2026-03-19 23:40:29 +00:00

.devcontainer

utils-http: Drop libsoup2 support in favor of libcurl

2025-11-20 17:40:57 +00:00

.github

ci: Fix immutable releases

2025-12-15 17:58:23 +00:00

app

completion: Avoid buffer overrun with strings having too many elements

2026-03-19 23:40:29 +00:00

buildutil

tests: Make it possible to use mesontest --test-args

2025-10-13 18:31:33 +00:00

common

dir, system-helper: Don't ignore errors when getting a remote's URL

2026-03-19 23:40:29 +00:00

completion

Add a Meson build system

2022-10-24 16:12:14 +01:00

data

fix: cross typos, detail below

2026-01-21 17:58:19 +00:00

doc

fix: cross typos, detail below

2026-01-21 17:58:19 +00:00

env.d

Add a Meson build system

2022-10-24 16:12:14 +01:00

icon-validator

validate-icon: Do not leak a GError instance

2025-11-21 14:21:13 +00:00

oci-authenticator

fix: cross typos, detail below

2026-01-21 17:58:19 +00:00

update Chinese translation

2026-03-19 21:22:39 +05:30

portal

fix: cross typos, detail below

2026-01-21 17:58:19 +00:00

profile

profile: fix a shellcheck warning

2025-05-07 17:54:28 +00:00

revokefs

Constify arrays of program arguments

2024-08-22 15:17:13 -03:00

scripts

flatpak-bisect: Use raw string for regular expression

2026-02-25 23:39:15 +05:30

selinux

selinux: add custom type flatpak_home_t for ~/.local/share/flatpak

2026-02-24 21:50:06 +00:00

session-helper

fix: cross typos, detail below

2026-01-21 17:58:19 +00:00

sideload-repos-systemd

Remove Autotools build system

2024-02-16 19:30:32 +00:00

subprojects

Update subtree: libglnx 2024-12-06

2024-12-22 12:43:53 +00:00

system-helper

system-helper: Remove redundant (and misleading) NULL check

2026-03-19 23:40:29 +00:00

tests

tests: Mention [systemd-]localed in debug messages, not "located"

2026-03-19 21:16:19 +05:30

tools/usb

usb: Added tool examples to generate device lists

2024-10-16 14:11:56 -03:00

triggers

Add a Meson build system

2022-10-24 16:12:14 +01:00

.codespellrc

fix: cross typos, detail below

2026-01-21 17:58:19 +00:00

.editorconfig

Add a vim modeline and .editorconfig

2022-08-22 19:48:10 -07:00

.flake8

tests/oci-registry-server.py: Clean up Python style

2025-05-08 16:08:21 +00:00

.gitignore

.gitignore: Add tests/runtime-repo.stamp

2022-06-27 20:15:41 +01:00

CODE_OF_CONDUCT.md

Create CODE_OF_CONDUCT.md

2018-02-05 15:21:40 +00:00

CONTRIBUTING.md

doc: Add compilation instructions for Ubuntu 24.04

2026-02-16 15:20:41 +00:00

COPYING

Add COPYING to reflect license headers

2015-03-31 15:36:29 +01:00

flatpak.png

README: update logo

2022-09-26 14:35:40 +01:00

meson_options.txt

utils-http: Drop libsoup2 support in favor of libcurl

2025-11-20 17:40:57 +00:00

meson.build

Post-release version bump

2026-03-15 11:13:11 +00:00

NEWS

Post-release version bump

2026-03-15 11:13:11 +00:00

README.md

README: Signpost https://flatpak.org/setup/ as a good way to install

2023-02-21 09:55:10 +00:00

SECURITY.md

Update SECURITY.md

2025-05-10 23:54:21 -03:00

uncrustify.cfg

Remove extra newlines in variable definiton blocks

2019-02-25 18:12:30 +00:00

uncrustify.sh

uncrustify: Exclude app/flatpak-polkit-agent-text-listener.[ch]

2019-02-25 18:12:30 +00:00

README.md

Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux.

See https://flatpak.org/ for more information.

Flatpak is available in the package repositories of most Linux distributions and can be installed from there. See https://flatpak.org/setup/ for quick setup instructions for many distributions.

Community discussion happens in #flatpak:matrix.org, on the mailing list, and on the Flathub Discourse.

Read documentation for Flatpak here.

Contributing

Flatpak welcomes contributions from anyone! Here are some ways you can help:

Fix one of the issues and submit a PR
Update flatpak's translations and submit a PR
Improve flatpak's documentation, hosted at http://docs.flatpak.org and developed over in flatpak-docs
Find a bug and submit a detailed report including your OS, flatpak version, and the steps to reproduce
Add your favorite application to Flathub by writing a flatpak-builder manifest and submitting it
Improve the Flatpak support in your favorite Linux distribution

Hacking

See CONTRIBUTING.md

Here are some notable projects in the Flatpak ecosystem:

Flatseal: An app for managing permissions of Flatpak apps without using the CLI
Flat-manager: A tool for managing Flatpak repositories

Languages

C 91.1%

Shell 5.1%

Python 1.8%

Meson 1.1%

Yacc 0.8%

README.md

Contributing

Hacking

Related Projects