Allow apps to match on WM_CLASS first (!1347) · Merge requests · GNOME / gnome-shell

Florian Müllner requested to merge fmuellner/gnome-shell:safer-wm-class into master Jul 03, 2020

Quoting the last commit:

Currently our heuristics for matching a window to its app check
for the application ID before the WM_CLASS, as the ID is more
reliable in so far that it is outside the application's control
and so it cannot use it to spoof a different application.

However this also prevents applications with multiple .desktop
files like LibreOffice from matching any .desktop files other
than the one under the main ID.

Since we now no longer allow the WM_CLASS to match a .desktop
file that doesn't belong to the sandboxed application, we can
fix that issue by checking the WM_CLASS first, without opening
the door to spoofing.

Fixes #219 (closed)

Allow apps to match on WM_CLASS first

Merge request reports