diff options
Diffstat (limited to 'meta-xfce/recipes-xfce/thunar/thunar/CVE-2021-32563-1.patch')
-rw-r--r-- | meta-xfce/recipes-xfce/thunar/thunar/CVE-2021-32563-1.patch | 97 |
1 files changed, 97 insertions, 0 deletions
diff --git a/meta-xfce/recipes-xfce/thunar/thunar/CVE-2021-32563-1.patch b/meta-xfce/recipes-xfce/thunar/thunar/CVE-2021-32563-1.patch new file mode 100644 index 0000000000..f942f990bd --- /dev/null +++ b/meta-xfce/recipes-xfce/thunar/thunar/CVE-2021-32563-1.patch @@ -0,0 +1,97 @@ +From 9165a61f95e43cc0b5abf9b98eee2818a0191e0b Mon Sep 17 00:00:00 2001 +From: Alexander Schwinn <alexxcons@xfce.org> +Date: Sat, 1 May 2021 00:40:44 +0200 +Subject: [PATCH 1/2] Dont execute files, passed via command line due to + security risks + +Instead open the containing folder and select the file. + +Fixes #121 + +Upstream-Status: Backport +CVE: CVE-2021-32563 + +Reference to upstream patch: +[https://gitlab.xfce.org/xfce/thunar/-/commit/9165a61f95e43cc0b5abf9b98eee2818a0191e0b] + +Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com> +--- + thunar/thunar-application.c | 25 +++++++++++++++++++++++-- + thunar/thunar-window.c | 4 +--- + thunar/thunar-window.h | 2 ++ + 3 files changed, 26 insertions(+), 5 deletions(-) + +diff --git a/thunar/thunar-application.c b/thunar/thunar-application.c +index df862fd..1243940 100644 +--- a/thunar/thunar-application.c ++++ b/thunar/thunar-application.c +@@ -1512,8 +1512,29 @@ thunar_application_process_files_finish (ThunarBrowser *browser, + } + else + { +- /* try to open the file or directory */ +- thunar_file_launch (target_file, screen, startup_id, &error); ++ if (thunar_file_is_directory (file)) ++ { ++ thunar_application_open_window (application, file, screen, startup_id, FALSE); ++ } ++ else ++ { ++ /* Note that for security reasons we do not execute files passed via command line */ ++ /* Lets rather open the containing directory and select the file */ ++ ThunarFile *parent = thunar_file_get_parent (file, NULL); ++ ++ if (G_LIKELY (parent != NULL)) ++ { ++ GList* files = NULL; ++ GtkWidget *window; ++ ++ window = thunar_application_open_window (application, parent, screen, startup_id, FALSE); ++ g_object_unref (parent); ++ ++ files = g_list_append (files, thunar_file_get_file (file)); ++ thunar_window_select_files (THUNAR_WINDOW (window), files); ++ g_list_free (files); ++ } ++ } + + /* remove the file from the list */ + application->files_to_launch = g_list_delete_link (application->files_to_launch, +diff --git a/thunar/thunar-window.c b/thunar/thunar-window.c +index b330a87..b234fd3 100644 +--- a/thunar/thunar-window.c ++++ b/thunar/thunar-window.c +@@ -243,8 +243,6 @@ static void thunar_window_update_go_menu (ThunarWindow + GtkWidget *menu); + static void thunar_window_update_help_menu (ThunarWindow *window, + GtkWidget *menu); +-static void thunar_window_select_files (ThunarWindow *window, +- GList *path_list); + static void thunar_window_binding_create (ThunarWindow *window, + gpointer src_object, + const gchar *src_prop, +@@ -891,7 +889,7 @@ thunar_window_screen_changed (GtkWidget *widget, + * + * Visually selects the files, given by the list + **/ +-static void ++void + thunar_window_select_files (ThunarWindow *window, + GList *files_to_selected) + { +diff --git a/thunar/thunar-window.h b/thunar/thunar-window.h +index 9cbcc85..3c1aad2 100644 +--- a/thunar/thunar-window.h ++++ b/thunar/thunar-window.h +@@ -126,6 +126,8 @@ void thunar_window_redirect_menu_tooltips_to_statusbar (Thu + GtkMenu *menu); + const XfceGtkActionEntry* thunar_window_get_action_entry (ThunarWindow *window, + ThunarWindowAction action); ++ void thunar_window_select_files (ThunarWindow *window, ++ GList *path_list); + G_END_DECLS; + + #endif /* !__THUNAR_WINDOW_H__ */ +-- +2.17.1 + |