Commit 3a22ed5b by Carlos Soriano Committed by Carlos Soriano

general: Don't allow launching binaries or programs in general

For long we used to support that since the desktop was part of Nautilus. Also, back then we didn't have a Software app where you are expected to installs apps. Back then it was common for apps to be delivered in a tarball, nowadays that's out of question. Now that the desktop is long gone, launching binaries and desktop files from within Nautilus is not as useful. Not only that, but we are moving towards a more sandboxed system, and we should use the standard and system wide support for launching apps based on users choices. We also are not able to be secure enough to handle this, as we saw in the past we allowed untrusted binaries to be launched, and therefore we had a CVE (CVE-2017-14604) for Nautilus. We are not being audited (afaik) and we are not in a position that we can let this issues slip. With that altogether, this prevents launching binaries or programs from Nautilus. Closes: #184
parent 83483358
......@@ -11,12 +11,6 @@
<value value="1" nick="double"/>
</enum>
<enum id="org.gnome.nautilus.ActivationChoice">
<value value="0" nick="launch"/>
<value value="1" nick="display"/>
<value value="2" nick="ask"/>
</enum>
<enum id="org.gnome.nautilus.FolderView">
<value value="0" nick="icon-view"/>
<value value="1" nick="list-view"/>
......@@ -121,11 +115,6 @@
<summary>Type of click used to launch/open files</summary>
<description>Possible values are “single” to launch files on a single click, or “double” to launch them on a double click.</description>
</key>
<key name="executable-text-activation" enum="org.gnome.nautilus.ActivationChoice">
<default>'display'</default>
<summary>What to do with executable text files when activated</summary>
<description>What to do with executable text files when they are activated (single or double clicked). Possible values are “launch” to launch them as programs, “ask” to ask what to do via a dialog, and “display” to display them as text files.</description>
</key>
<key type="b" name="install-mime-activation">
<default>true</default>
<summary>Show the package installer for unknown MIME types</summary>
......
......@@ -3541,39 +3541,6 @@ file_info_start (NautilusDirectory *directory,
g_object_unref (location);
}
static gboolean
is_link_trusted (NautilusFile *file,
gboolean is_launcher)
{
GFile *location;
gboolean res;
g_autofree gchar *trusted = NULL;
if (!is_launcher)
{
return TRUE;
}
trusted = nautilus_file_get_metadata (file,
NAUTILUS_METADATA_KEY_DESKTOP_FILE_TRUSTED,
NULL);
if (nautilus_file_can_execute (file) && trusted != NULL)
{
return TRUE;
}
res = FALSE;
if (nautilus_file_is_local (file))
{
location = nautilus_file_get_location (file);
res = nautilus_is_in_system_dir (location);
g_object_unref (location);
}
return res;
}
static void
link_info_done (NautilusDirectory *directory,
NautilusFile *file,
......@@ -3582,20 +3549,9 @@ link_info_done (NautilusDirectory *directory,
GIcon *icon,
gboolean is_launcher)
{
gboolean is_trusted;
file->details->link_info_is_up_to_date = TRUE;
is_trusted = is_link_trusted (file, is_launcher);
if (is_trusted)
{
nautilus_file_set_display_name (file, name, name, TRUE);
}
else
{
nautilus_file_set_display_name (file, NULL, NULL, TRUE);
}
file->details->got_link_info = TRUE;
g_clear_object (&file->details->custom_icon);
......@@ -3607,12 +3563,11 @@ link_info_done (NautilusDirectory *directory,
file->details->got_custom_activation_uri = TRUE;
file->details->activation_uri = g_strdup (uri);
}
if (is_trusted && (icon != NULL))
if (icon != NULL)
{
file->details->custom_icon = g_object_ref (icon);
}
file->details->is_launcher = is_launcher;
file->details->is_trusted_link = is_trusted;
nautilus_directory_async_state_changed (directory);
}
......
......@@ -1198,7 +1198,6 @@ nautilus_files_view_activate_files (NautilusFilesView *view,
NautilusFilesViewPrivate *priv;
GList *files_to_extract;
GList *files_to_activate;
char *path;
if (files == NULL)
{
......@@ -1230,15 +1229,12 @@ nautilus_files_view_activate_files (NautilusFilesView *view,
extract_files_to_chosen_location (view, files_to_extract);
}
path = get_view_directory (view);
nautilus_mime_activate_files (nautilus_files_view_get_containing_window (view),
priv->slot,
files_to_activate,
path,
flags,
confirm_multiple);
g_free (path);
g_list_free (files_to_extract);
g_list_free (files_to_activate);
}
......@@ -7675,7 +7671,6 @@ update_selection_menu (NautilusFilesView *view)
GList *l;
gint selection_count;
gboolean show_app;
gboolean show_run;
gboolean show_extract;
gboolean item_opens_in_view;
gchar *item_label;
......@@ -7716,7 +7711,7 @@ update_selection_menu (NautilusFilesView *view)
g_free (item_label);
/* Open With <App> menu item */
show_extract = show_app = show_run = item_opens_in_view = selection_count != 0;
show_extract = show_app = item_opens_in_view = selection_count != 0;
for (l = selection; l != NULL; l = l->next)
{
NautilusFile *file;
......@@ -7733,17 +7728,12 @@ update_selection_menu (NautilusFilesView *view)
show_app = FALSE;
}
if (!nautilus_mime_file_launches (file))
{
show_run = FALSE;
}
if (!nautilus_file_opens_in_view (file))
{
item_opens_in_view = FALSE;
}
if (!show_extract && !show_app && !show_run && !item_opens_in_view)
if (!show_extract && !show_app && !item_opens_in_view)
{
break;
}
......@@ -7772,10 +7762,6 @@ update_selection_menu (NautilusFilesView *view)
g_free (escaped_app);
g_object_unref (app);
}
else if (show_run)
{
item_label = g_strdup (_("Run"));
}
else if (show_extract)
{
item_label = nautilus_files_view_supports_extract_here (view) ?
......@@ -8736,20 +8722,10 @@ nautilus_files_view_move_copy_items (NautilusFilesView *view,
NautilusFile *target_file;
target_file = nautilus_file_get_existing_by_uri (target_uri);
/* special-case "command:" here instead of starting a move/copy */
if (target_file != NULL && nautilus_file_is_launcher (target_file))
{
nautilus_file_unref (target_file);
nautilus_launch_desktop_file (
gtk_widget_get_screen (GTK_WIDGET (view)),
target_uri, item_uris,
nautilus_files_view_get_containing_window (view));
return;
}
else if (copy_action == GDK_ACTION_COPY &&
nautilus_is_file_roller_installed () &&
target_file != NULL &&
nautilus_file_is_archive (target_file))
if (copy_action == GDK_ACTION_COPY &&
nautilus_is_file_roller_installed () &&
target_file != NULL &&
nautilus_file_is_archive (target_file))
{
char *command, *quoted_uri, *tmp;
const GList *l;
......
......@@ -52,10 +52,7 @@
typedef enum
{
ACTIVATION_ACTION_LAUNCH_DESKTOP_FILE,
ACTIVATION_ACTION_ASK,
ACTIVATION_ACTION_LAUNCH,
ACTIVATION_ACTION_LAUNCH_IN_TERMINAL,
ACTIVATION_ACTION_OPEN_IN_VIEW,
ACTIVATION_ACTION_OPEN_IN_APPLICATION,
ACTIVATION_ACTION_EXTRACT,
......@@ -83,7 +80,6 @@ typedef struct
gboolean timed_wait_active;
NautilusFileListHandle *files_handle;
gboolean tried_mounting;
char *activation_directory;
gboolean user_confirmation;
} ActivateParameters;
......@@ -600,115 +596,6 @@ out:
}
static ActivationAction
get_executable_text_file_action (GtkWindow *parent_window,
NautilusFile *file)
{
GtkDialog *dialog;
char *file_name;
char *prompt;
char *detail;
int preferences_value;
int response;
g_assert (nautilus_file_contains_text (file));
preferences_value = g_settings_get_enum (nautilus_preferences,
NAUTILUS_PREFERENCES_EXECUTABLE_TEXT_ACTIVATION);
switch (preferences_value)
{
case NAUTILUS_EXECUTABLE_TEXT_LAUNCH:
{
return ACTIVATION_ACTION_LAUNCH;
}
case NAUTILUS_EXECUTABLE_TEXT_DISPLAY:
{
return ACTIVATION_ACTION_OPEN_IN_APPLICATION;
}
case NAUTILUS_EXECUTABLE_TEXT_ASK:
{
}
break;
default:
/* Complain non-fatally, since preference data can't be trusted */
g_warning ("Unknown value %d for NAUTILUS_PREFERENCES_EXECUTABLE_TEXT_ACTIVATION",
preferences_value);
}
file_name = nautilus_file_get_display_name (file);
prompt = g_strdup_printf (_("Do you want to run “%s”, or display its contents?"),
file_name);
detail = g_strdup_printf (_("“%s” is an executable text file."),
file_name);
g_free (file_name);
dialog = eel_create_question_dialog (prompt,
detail,
_("Run in _Terminal"), RESPONSE_RUN_IN_TERMINAL,
_("_Display"), RESPONSE_DISPLAY,
parent_window);
gtk_dialog_add_button (dialog, _("_Cancel"), GTK_RESPONSE_CANCEL);
gtk_dialog_add_button (dialog, _("_Run"), RESPONSE_RUN);
gtk_dialog_set_default_response (dialog, GTK_RESPONSE_CANCEL);
gtk_widget_show (GTK_WIDGET (dialog));
g_free (prompt);
g_free (detail);
response = gtk_dialog_run (dialog);
gtk_widget_destroy (GTK_WIDGET (dialog));
switch (response)
{
case RESPONSE_RUN:
{
return ACTIVATION_ACTION_LAUNCH;
}
case RESPONSE_RUN_IN_TERMINAL:
{
return ACTIVATION_ACTION_LAUNCH_IN_TERMINAL;
}
case RESPONSE_DISPLAY:
{
return ACTIVATION_ACTION_OPEN_IN_APPLICATION;
}
default:
return ACTIVATION_ACTION_DO_NOTHING;
}
}
static ActivationAction
get_default_executable_text_file_action (void)
{
int preferences_value;
preferences_value = g_settings_get_enum (nautilus_preferences,
NAUTILUS_PREFERENCES_EXECUTABLE_TEXT_ACTIVATION);
switch (preferences_value)
{
case NAUTILUS_EXECUTABLE_TEXT_LAUNCH:
{
return ACTIVATION_ACTION_LAUNCH;
}
case NAUTILUS_EXECUTABLE_TEXT_DISPLAY:
{
return ACTIVATION_ACTION_OPEN_IN_APPLICATION;
}
case NAUTILUS_EXECUTABLE_TEXT_ASK:
default:
return ACTIVATION_ACTION_ASK;
}
}
static ActivationAction
get_activation_action (NautilusFile *file)
{
ActivationAction action;
......@@ -728,46 +615,19 @@ get_activation_action (NautilusFile *file)
return ACTIVATION_ACTION_EXTRACT;
}
if (nautilus_file_is_nautilus_link (file))
{
return ACTIVATION_ACTION_LAUNCH_DESKTOP_FILE;
}
activation_uri = nautilus_file_get_activation_uri (file);
if (activation_uri == NULL)
{
activation_uri = nautilus_file_get_uri (file);
}
action = ACTIVATION_ACTION_DO_NOTHING;
if (nautilus_file_is_launchable (file))
if (nautilus_file_opens_in_view (file))
{
char *executable_path;
action = ACTIVATION_ACTION_LAUNCH;
executable_path = g_filename_from_uri (activation_uri, NULL, NULL);
if (!executable_path)
{
action = ACTIVATION_ACTION_DO_NOTHING;
}
else if (nautilus_file_contains_text (file))
{
action = get_default_executable_text_file_action ();
}
g_free (executable_path);
action = ACTIVATION_ACTION_OPEN_IN_VIEW;
}
if (action == ACTIVATION_ACTION_DO_NOTHING)
else
{
if (nautilus_file_opens_in_view (file))
{
action = ACTIVATION_ACTION_OPEN_IN_VIEW;
}
else
{
action = ACTIVATION_ACTION_OPEN_IN_APPLICATION;
}
action = ACTIVATION_ACTION_OPEN_IN_APPLICATION;
}
g_free (activation_uri);
......@@ -781,16 +641,6 @@ nautilus_mime_file_extracts (NautilusFile *file)
}
gboolean
nautilus_mime_file_launches (NautilusFile *file)
{
ActivationAction activation_action;
activation_action = get_activation_action (file);
return (activation_action == ACTIVATION_ACTION_LAUNCH);
}
gboolean
nautilus_mime_file_opens_in_external_app (NautilusFile *file)
{
ActivationAction activation_action;
......@@ -845,7 +695,6 @@ activation_parameters_free (ActivateParameters *parameters)
nautilus_file_list_free (parameters->mountables);
nautilus_file_list_free (parameters->start_mountables);
nautilus_file_list_free (parameters->not_mounted);
g_free (parameters->activation_directory);
g_free (parameters->timed_wait_prompt);
g_assert (parameters->files_handle == NULL);
g_free (parameters);
......@@ -973,7 +822,6 @@ typedef struct
NautilusFile *file;
GList *files;
NautilusWindowOpenFlags flags;
char *activation_directory;
gboolean user_confirmation;
char *uri;
GDBusProxy *proxy;
......@@ -999,7 +847,6 @@ activate_parameters_install_free (ActivateParametersInstall *parameters_install)
nautilus_file_unref (parameters_install->file);
nautilus_file_list_free (parameters_install->files);
g_free (parameters_install->activation_directory);
g_free (parameters_install->uri);
g_free (parameters_install);
}
......@@ -1203,7 +1050,6 @@ search_for_application_dbus_call_notify_cb (GDBusProxy *proxy,
nautilus_mime_activate_files (parameters_install->parent_window,
parameters_install->slot,
parameters_install->files,
parameters_install->activation_directory,
parameters_install->flags,
parameters_install->user_confirmation);
......@@ -1352,7 +1198,6 @@ application_unhandled_uri (ActivateParameters *parameters,
parameters_install->parent_window = parameters->parent_window;
g_object_add_weak_pointer (G_OBJECT (parameters_install->parent_window), (gpointer *) &parameters_install->parent_window);
}
parameters_install->activation_directory = g_strdup (parameters->activation_directory);
parameters_install->file = file;
parameters_install->files = get_file_list_for_launch_locations (parameters->locations);
parameters_install->flags = parameters->flags;
......@@ -1396,145 +1241,6 @@ out:
show_unhandled_type_error (parameters_install);
}
typedef struct
{
GtkWindow *parent_window;
NautilusFile *file;
} ActivateParametersDesktop;
static void
activate_parameters_desktop_free (ActivateParametersDesktop *parameters_desktop)
{
if (parameters_desktop->parent_window)
{
g_object_remove_weak_pointer (G_OBJECT (parameters_desktop->parent_window), (gpointer *) &parameters_desktop->parent_window);
}
nautilus_file_unref (parameters_desktop->file);
g_free (parameters_desktop);
}
static void
untrusted_launcher_response_callback (GtkDialog *dialog,
int response_id,
ActivateParametersDesktop *parameters)
{
GdkScreen *screen;
char *uri;
GFile *file;
switch (response_id)
{
case GTK_RESPONSE_OK:
{
file = nautilus_file_get_location (parameters->file);
/* We need to do this in order to prevent malicious desktop files
* with the executable bit already set.
* See https://bugzilla.gnome.org/show_bug.cgi?id=777991
*/
nautilus_file_set_metadata (parameters->file, NAUTILUS_METADATA_KEY_DESKTOP_FILE_TRUSTED,
NULL,
"yes");
nautilus_file_mark_desktop_file_executable (file,
parameters->parent_window,
TRUE,
NULL, NULL);
/* Need to force a reload of the attributes so is_trusted is marked
* correctly. Not sure why the general monitor doesn't fire in this
* case when setting the metadata
*/
nautilus_file_invalidate_all_attributes (parameters->file);
screen = gtk_widget_get_screen (GTK_WIDGET (parameters->parent_window));
uri = nautilus_file_get_uri (parameters->file);
DEBUG ("Launching untrusted launcher %s", uri);
nautilus_launch_desktop_file (screen, uri, NULL,
parameters->parent_window);
g_free (uri);
g_object_unref (file);
}
break;
default:
{
/* Just destroy dialog */
}
break;
}
gtk_widget_destroy (GTK_WIDGET (dialog));
activate_parameters_desktop_free (parameters);
}
static void
activate_desktop_file (ActivateParameters *parameters,
NautilusFile *file)
{
ActivateParametersDesktop *parameters_desktop;
char *primary, *secondary, *display_name;
GtkWidget *dialog;
GdkScreen *screen;
char *uri;
screen = gtk_widget_get_screen (GTK_WIDGET (parameters->parent_window));
if (!nautilus_file_is_trusted_link (file))
{
/* copy the parts of parameters we are interested in as the orignal will be freed */
parameters_desktop = g_new0 (ActivateParametersDesktop, 1);
if (parameters->parent_window)
{
parameters_desktop->parent_window = parameters->parent_window;
g_object_add_weak_pointer (G_OBJECT (parameters_desktop->parent_window), (gpointer *) &parameters_desktop->parent_window);
}
parameters_desktop->file = nautilus_file_ref (file);
primary = _("Untrusted application launcher");
display_name = nautilus_file_get_display_name (file);
secondary =
g_strdup_printf (_("The application launcher “%s” has not been marked as trusted. "
"If you do not know the source of this file, launching it may be unsafe."
),
display_name);
dialog = gtk_message_dialog_new (parameters->parent_window,
0,
GTK_MESSAGE_WARNING,
GTK_BUTTONS_NONE,
NULL);
g_object_set (dialog,
"text", primary,
"secondary-text", secondary,
NULL);
gtk_dialog_add_button (GTK_DIALOG (dialog),
_("_Cancel"), GTK_RESPONSE_CANCEL);
gtk_dialog_set_default_response (GTK_DIALOG (dialog), GTK_RESPONSE_CANCEL);
if (nautilus_file_can_set_permissions (file))
{
gtk_dialog_add_button (GTK_DIALOG (dialog),
_("Trust and _Launch"), GTK_RESPONSE_OK);
}
g_signal_connect (dialog, "response",
G_CALLBACK (untrusted_launcher_response_callback),
parameters_desktop);
gtk_widget_show (dialog);
g_free (display_name);
g_free (secondary);
return;
}
uri = nautilus_file_get_uri (file);
DEBUG ("Launching trusted launcher %s", uri);
nautilus_launch_desktop_file (screen, uri, NULL,
parameters->parent_window);
g_free (uri);
}
static void
on_launch_default_for_uri (GObject *source_object,
GAsyncResult *res,
......@@ -1598,19 +1304,12 @@ activate_files (ActivateParameters *parameters)
NautilusWindowOpenFlags flags;
int count;
g_autofree char *old_working_dir = NULL;
GdkScreen *screen;
gboolean closed_window;
g_autoptr (GQueue) launch_desktop_files = NULL;
g_autoptr (GQueue) launch_files = NULL;
g_autoptr (GQueue) launch_in_terminal_files = NULL;
g_autoptr (GQueue) open_in_app_uris = NULL;
g_autoptr (GQueue) open_in_view_files = NULL;
GList *l;
ActivationAction action;
launch_desktop_files = g_queue_new ();
launch_files = g_queue_new ();
launch_in_terminal_files = g_queue_new ();
open_in_view_files = g_queue_new ();
open_in_app_uris = g_queue_new ();
......@@ -1627,36 +1326,8 @@ activate_files (ActivateParameters *parameters)
}
action = get_activation_action (file);
if (action == ACTIVATION_ACTION_ASK)
{
/* Special case for executable text files, since it might be
* dangerous & unexpected to launch these.
*/
pause_activation_timed_cancel (parameters);
action = get_executable_text_file_action (parameters->parent_window, file);
unpause_activation_timed_cancel (parameters);
}
switch (action)
{
case ACTIVATION_ACTION_LAUNCH_DESKTOP_FILE:
{
g_queue_push_tail (launch_desktop_files, file);
}
break;
case ACTIVATION_ACTION_LAUNCH:
{
g_queue_push_tail (launch_files, file);
}
break;
case ACTIVATION_ACTION_LAUNCH_IN_TERMINAL:
{
g_queue_push_tail (launch_in_terminal_files, file);
}
break;
case ACTIVATION_ACTION_OPEN_IN_VIEW:
{
g_queue_push_tail (open_in_view_files, file);
......@@ -1681,7 +1352,7 @@ activate_files (ActivateParameters *parameters)
}
break;
case ACTIVATION_ACTION_ASK:
default:
{
g_assert_not_reached ();
}
......@@ -1689,61 +1360,6 @@ activate_files (ActivateParameters *parameters)
}
}
for (l = g_queue_peek_head_link (launch_desktop_files); l != NULL; l = l->next)
{
file = NAUTILUS_FILE (l->data);
activate_desktop_file (parameters, file);
}
if (parameters->activation_directory &&
(!g_queue_is_empty (launch_files) ||
!g_queue_is_empty (launch_in_terminal_files)))
{
old_working_dir = g_get_current_dir ();
g_chdir (parameters->activation_directory);
}
screen = gtk_widget_get_screen (GTK_WIDGET (parameters->parent_window));
for (l = g_queue_peek_head_link (launch_files); l != NULL; l = l->next)
{
g_autofree char *uri = NULL;
g_autofree char *executable_path = NULL;
g_autofree char *quoted_path = NULL;
file = NAUTILUS_FILE (l->data);
uri = nautilus_file_get_activation_uri (file);
executable_path = g_filename_from_uri (uri, NULL, NULL);
quoted_path = g_shell_quote (executable_path);
DEBUG ("Launching file path %s", quoted_path);
nautilus_launch_application_from_command (screen, quoted_path, FALSE, NULL);
}
for (l = g_queue_peek_head_link (launch_in_terminal_files); l != NULL; l = l->next)
{
g_autofree char *uri = NULL;
g_autofree char *executable_path = NULL;
g_autofree char *quoted_path = NULL;
file = NAUTILUS_FILE (l->data);
uri = nautilus_file_get_activation_uri (file);
executable_path = g_filename_from_uri (uri, NULL, NULL);
quoted_path = g_shell_quote (executable_path);
DEBUG ("Launching in terminal file quoted path %s", quoted_path);
nautilus_launch_application_from_command (screen, quoted_path, TRUE, NULL);
}
if (old_working_dir != NULL)
{
g_chdir (old_working_dir);
}
count = g_queue_get_length (open_in_view_files);
flags = parameters->flags;
......@@ -1912,8 +1528,7 @@ activation_mount_not_mounted_callback (GObject *source_object,
file);
if (loc)
{
parameters->locations =
g_list_remove (parameters->locations, loc);
parameters->locations = g_list_remove (parameters->locations, loc);
launch_location_free (loc);
}
}
......@@ -2332,20 +1947,10 @@ activation_start_mountables (ActivateParameters *parameters)
}
}
/**
* nautilus_mime_activate_files:
*
* Activate a list of files. Each one might launch with an application or
* with a component. This is normally called only by subclasses.
* @view: FMDirectoryView in question.
* @files: A GList of NautilusFiles to activate.
*
**/
void
nautilus_mime_activate_files (GtkWindow *parent_window,
NautilusWindowSlot *slot,
GList *files,
const char *launch_directory,
NautilusWindowOpenFlags flags,
gboolean user_confirmation)
{
......@@ -2372,7 +1977,6 @@ nautilus_mime_activate_files (GtkWindow *parent_window,
g_object_add_weak_pointer (G_OBJECT (parameters->parent_window), (gpointer *) &<