[libcontentaction] Add configuration options to restrict the invokati…

…on of .desktop files. Contributes to JB#43964 This helps prevent .desktop files of unknown origin being used as an executable scripts.
sailfishos · Feb 26, 2019 · 9c8596b · 9c8596b
1 parent 23e2f3b
commit 9c8596b
Show file tree

Hide file tree

Showing 4 changed files with 51 additions and 0 deletions.
diff --git a/data/data.pro b/data/data.pro
@@ -28,3 +28,9 @@ highlight1.path = $$CONTENTACTION_DATADIR
 highlight1.files = highlight1.xml
 highlight1.CONFIG += no_check_exist
 INSTALLS += highlight1
+
+dconf_locks.files = \
+    locks/application_desktop_paths.txt
+dconf_locks.path = /etc/dconf/db/vendor.d/locks
+
+INSTALLS += dconf_locks
diff --git a/data/locks/application_desktop_paths.txt b/data/locks/application_desktop_paths.txt
@@ -0,0 +1,2 @@
+/desktop/sailfish/application_desktop_paths
+
diff --git a/rpm/libcontentaction-qt5.spec b/rpm/libcontentaction-qt5.spec
@@ -78,6 +78,7 @@ rm -rf %{buildroot}
 %{_datadir}/contentaction/highlight1.xml
 %{_datadir}/contentaction/tracker1.xml
 %{_libdir}/libcontentaction5.so.*
+%{_sysconfdir}/dconf/db/vendor.d/locks/application_desktop_paths.txt
 
 %files devel
 %defattr(-,root,root,-)

diff --git a/src/contentaction.cpp b/src/contentaction.cpp
@@ -24,6 +24,7 @@
 #include "service.h"
 
 #include <MDesktopEntry>
+#include <MGConfItem>
 #include <QFileInfo>
 
 /*!
@@ -65,6 +66,45 @@ const QString XMaemoObjectPathKey("Desktop Entry/X-Maemo-Object-Path");
 const QString ExecKey("Desktop Entry/Exec");
 const QString URLKey("Desktop Entry/URL");
 const QString TypeKeyValueLink("Link");
+
+}
+
+namespace {
+
+QStringList applicationDesktopPaths()
+{
+    QStringList desktopPaths;
+    const QVariant configuration = MGConfItem(
+                QLatin1String("/desktop/sailfish/application_desktop_paths")).value();
+
+    if (configuration.isValid()) {
+        for (const QString &path : configuration.toStringList()) {
+            if (!path.isEmpty() && path.startsWith(QLatin1Char('/'))) {
+                desktopPaths.append(path.endsWith(QLatin1Char('/')) ? path : path + QLatin1Char('/'));
+            }
+        }
+    }
+    return desktopPaths;
+}
+
+Q_GLOBAL_STATIC_WITH_ARGS(QStringList, desktopPaths, (applicationDesktopPaths()))
+
+bool isApplicationDesktopPath(const QString &path)
+{
+    const QStringList paths = *desktopPaths();
+
+    if (paths.isEmpty()) {
+        return true;
+    }
+
+    for (const QString &desktopPath : paths) {
+        if (path.startsWith(desktopPath)) {
+            return true;
+        }
+    }
+    return false;
+}
+
 }
 
 ActionPrivate::~ActionPrivate()
@@ -173,6 +213,8 @@ Action createAction(QSharedPointer<MDesktopEntry> desktopEntry,
     if (desktopEntry->type() == TypeKeyValueLink &&
         desktopEntry->contains(URLKey)) {
         return Action::defaultActionForScheme(desktopEntry->url());
+    } else if (!isApplicationDesktopPath(desktopEntry->fileName())) {
+        return Action();
     } else if (desktopEntry->contains(XMaemoMethodKey) &&
         !desktopEntry->contains(XMaemoServiceKey)) {
         return Action(new ServiceFwPrivate(desktopEntry, params));