1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
|
From 9165a61f95e43cc0b5abf9b98eee2818a0191e0b Mon Sep 17 00:00:00 2001
From: Alexander Schwinn <alexxcons@xfce.org>
Date: Sat, 1 May 2021 00:40:44 +0200
Subject: [PATCH 1/2] Dont execute files, passed via command line due to
security risks
Instead open the containing folder and select the file.
Fixes #121
Upstream-Status: Backport
CVE: CVE-2021-32563
Reference to upstream patch:
[https://gitlab.xfce.org/xfce/thunar/-/commit/9165a61f95e43cc0b5abf9b98eee2818a0191e0b]
Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
---
thunar/thunar-application.c | 25 +++++++++++++++++++++++--
thunar/thunar-window.c | 4 +---
thunar/thunar-window.h | 2 ++
3 files changed, 26 insertions(+), 5 deletions(-)
diff --git a/thunar/thunar-application.c b/thunar/thunar-application.c
index df862fd..1243940 100644
--- a/thunar/thunar-application.c
+++ b/thunar/thunar-application.c
@@ -1512,8 +1512,29 @@ thunar_application_process_files_finish (ThunarBrowser *browser,
}
else
{
- /* try to open the file or directory */
- thunar_file_launch (target_file, screen, startup_id, &error);
+ if (thunar_file_is_directory (file))
+ {
+ thunar_application_open_window (application, file, screen, startup_id, FALSE);
+ }
+ else
+ {
+ /* Note that for security reasons we do not execute files passed via command line */
+ /* Lets rather open the containing directory and select the file */
+ ThunarFile *parent = thunar_file_get_parent (file, NULL);
+
+ if (G_LIKELY (parent != NULL))
+ {
+ GList* files = NULL;
+ GtkWidget *window;
+
+ window = thunar_application_open_window (application, parent, screen, startup_id, FALSE);
+ g_object_unref (parent);
+
+ files = g_list_append (files, thunar_file_get_file (file));
+ thunar_window_select_files (THUNAR_WINDOW (window), files);
+ g_list_free (files);
+ }
+ }
/* remove the file from the list */
application->files_to_launch = g_list_delete_link (application->files_to_launch,
diff --git a/thunar/thunar-window.c b/thunar/thunar-window.c
index b330a87..b234fd3 100644
--- a/thunar/thunar-window.c
+++ b/thunar/thunar-window.c
@@ -243,8 +243,6 @@ static void thunar_window_update_go_menu (ThunarWindow
GtkWidget *menu);
static void thunar_window_update_help_menu (ThunarWindow *window,
GtkWidget *menu);
-static void thunar_window_select_files (ThunarWindow *window,
- GList *path_list);
static void thunar_window_binding_create (ThunarWindow *window,
gpointer src_object,
const gchar *src_prop,
@@ -891,7 +889,7 @@ thunar_window_screen_changed (GtkWidget *widget,
*
* Visually selects the files, given by the list
**/
-static void
+void
thunar_window_select_files (ThunarWindow *window,
GList *files_to_selected)
{
diff --git a/thunar/thunar-window.h b/thunar/thunar-window.h
index 9cbcc85..3c1aad2 100644
--- a/thunar/thunar-window.h
+++ b/thunar/thunar-window.h
@@ -126,6 +126,8 @@ void thunar_window_redirect_menu_tooltips_to_statusbar (Thu
GtkMenu *menu);
const XfceGtkActionEntry* thunar_window_get_action_entry (ThunarWindow *window,
ThunarWindowAction action);
+ void thunar_window_select_files (ThunarWindow *window,
+ GList *path_list);
G_END_DECLS;
#endif /* !__THUNAR_WINDOW_H__ */
--
2.17.1
|