Requesting a handle_token with org.freedesktop.portal.RemoteDesktop.CreateSession containing a special character causes the portal to crash
#1549
Labels
Comments
whot
added a commit
to whot/xdg-desktop-portal
that referenced
this issue
Jan 10, 2025
The token is used as part of an object path so it has to meet those requirements. We can't escape it since the caller presumably expects to use the token as-is so where it fails the validity simply error out. Closes: flatpak#1549
whot
added a commit
to whot/xdg-desktop-portal
that referenced
this issue
Jan 10, 2025
The token is used as part of an object path so it has to meet those requirements. We can't escape it since the caller presumably expects to use the token as-is so where it fails the validity simply error out. Closes: flatpak#1549
whot
added a commit
to whot/xdg-desktop-portal
that referenced
this issue
Jan 10, 2025
The token is used as part of an object path so it has to meet those requirements. We can't escape it since the caller presumably expects to use the token as-is so where it fails the validity simply error out. Closes: flatpak#1549
whot
added a commit
to whot/xdg-desktop-portal
that referenced
this issue
Jan 29, 2025
The token is used as part of an object path so it has to meet those requirements. We can't escape it since the caller presumably expects to use the token as-is so where it fails the validity simply error out. Note that we do not allow the token to create a subpath, so a slash in the token value is disallowed even though technically this could work. Closes: flatpak#1549
whot
added a commit
to whot/xdg-desktop-portal
that referenced
this issue
Jan 29, 2025
The token is used as part of an object path so it has to meet those requirements. We can't escape it since the caller presumably expects to use the token as-is so where it fails the validity simply error out. Closes: flatpak#1549
github-merge-queue bot
pushed a commit
that referenced
this issue
Jan 29, 2025
The token is used as part of an object path so it has to meet those requirements. We can't escape it since the caller presumably expects to use the token as-is so where it fails the validity simply error out. Note that we do not allow the token to create a subpath, so a slash in the token value is disallowed even though technically this could work. Closes: #1549
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Operating System
Arch Linux
XDG Desktop Portal version
1.18
XDG Desktop Portal version (Other)
No response
Desktop Environment
KDE
Desktop Environment (Other)
No response
Expected Behavior
An error response is returned or the message is discarded.
Current Behavior
The portal crashes.
Steps to Reproduce
gdbus call --session --dest org.freedesktop.portal.Desktop --object-path /org/freedesktop/portal/desktop --method org.freedesktop.portal.RemoteDesktop.CreateSession '{"handle_token": <"token_with_special_&">, "session_handle_token": <"valid_token">}'in a terminalAnything else we should know?
Core Dump: core.dump.tar.gz
If the arguments are reversed the portal seems to just discard the message as expected.
The text was updated successfully, but these errors were encountered: