Commit 9bb330d8 authored by Simon McVittie's avatar Simon McVittie
Browse files

dbus-daemon: Filter out unknown header fields

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=100317

Reviewed-by: Philip Withnall's avatarPhilip Withnall <withnall@endlessm.com>
Signed-off-by: Simon McVittie's avatarSimon McVittie <smcv@collabora.com>
parent 138f51f9
......@@ -34,6 +34,7 @@
#include "signals.h"
#include "test.h"
#include <dbus/dbus-internals.h>
#include <dbus/dbus-message-internal.h>
#include <dbus/dbus-misc.h>
#include <dbus/dbus-test-tap.h>
#include <string.h>
......@@ -287,6 +288,15 @@ bus_dispatch (DBusConnection *connection,
}
}
/* Make sure the message does not have any header fields that we
* don't understand (or validate), so that we can add header fields
* in future and clients can assume that we have checked them. */
if (!_dbus_message_remove_unknown_fields (message))
{
BUS_SET_OOM (&error);
goto out;
}
service_name = dbus_message_get_destination (message);
#ifdef DBUS_ENABLE_VERBOSE_MODE
......
......@@ -3076,6 +3076,7 @@ features_getter (BusContext *context,
DBusMessageIter *variant_iter)
{
DBusMessageIter arr_iter;
const char *s;
if (!dbus_message_iter_open_container (variant_iter, DBUS_TYPE_ARRAY,
DBUS_TYPE_STRING_AS_STRING,
......@@ -3084,15 +3085,20 @@ features_getter (BusContext *context,
if (bus_apparmor_enabled ())
{
const char *s = "AppArmor";
s = "AppArmor";
if (!dbus_message_iter_append_basic (&arr_iter, DBUS_TYPE_STRING, &s))
goto abandon;
}
s = "HeaderFiltering";
if (!dbus_message_iter_append_basic (&arr_iter, DBUS_TYPE_STRING, &s))
goto abandon;
if (bus_selinux_enabled ())
{
const char *s = "SELinux";
s = "SELinux";
if (!dbus_message_iter_append_basic (&arr_iter, DBUS_TYPE_STRING, &s))
goto abandon;
......@@ -3100,7 +3106,7 @@ features_getter (BusContext *context,
if (bus_context_get_systemd_activation (context))
{
const char *s = "SystemdActivation";
s = "SystemdActivation";
if (!dbus_message_iter_append_basic (&arr_iter, DBUS_TYPE_STRING, &s))
goto abandon;
......
......@@ -1618,7 +1618,10 @@
mutually-distrustful client to another, such as the message
bus, should remove header fields that the server does not
recognise. However, a client must assume that the server has
not done so, unless it has evidence to the contrary.
not done so, unless it has evidence to the contrary,
such as having checked for the <literal>HeaderFiltering</literal>
<link linkend="message-bus-properties-features">message bus
feature</link>.
</para>
<para>
......@@ -7029,6 +7032,26 @@
</listitem>
</varlistentry>
<varlistentry>
<term><literal>HeaderFiltering</literal></term>
<listitem>
<para>
This message bus guarantees that it will remove
header fields that it does not understand when it
relays messages, so that a client receiving a
recently-defined header field that is specified to be
controlled by the message bus can safely assume that
it was in fact set by the message bus. This check is
needed because older message bus implementations did
not guarantee to filter headers in this way, so a
malicious client could send any recently-defined
header field with a crafted value of its choice
through an older message bus that did not understand
that header field.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>SELinux</literal></term>
<listitem>
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment