File 0001-Use-dbus-system-bus-name-instead-of-PID-for-authenti.patch of Package kdelibs4.4442
From 51cabd09ee9a6b26449a1b1839e002a7445e2dd3 Mon Sep 17 00:00:00 2001
From: "Martin T. H. Sandsmark" <martin.sandsmark@kde.org>
Date: Mon, 21 Jul 2014 22:52:40 +0200
Subject: [PATCH 01/01] Use dbus system bus name instead of PID for
authentication.
Using the PID for authentication is prone to a PID reuse
race condition, and a security issue.
REVIEW: 119323
---
kdecore/auth/backends/polkit-1/Polkit1Backend.cpp | 15 +++------------
1 file changed, 3 insertions(+), 12 deletions(-)
diff --git a/kdecore/auth/backends/polkit-1/Polkit1Backend.cpp b/kdecore/auth/backends/polkit-1/Polkit1Backend.cpp
index cd7f6f3..732d2cb 100644
--- a/kdecore/auth/backends/polkit-1/Polkit1Backend.cpp
+++ b/kdecore/auth/backends/polkit-1/Polkit1Backend.cpp
@@ -144,7 +144,7 @@ void Polkit1Backend::setupAction(const QString &action)
Action::AuthStatus Polkit1Backend::actionStatus(const QString &action)
{
- PolkitQt1::UnixProcessSubject subject(QCoreApplication::applicationPid());
+ PolkitQt1::SystemBusNameSubject subject(QString::fromUtf8(callerID()));
PolkitQt1::Authority::Result r = PolkitQt1::Authority::instance()->checkAuthorizationSync(action, subject,
PolkitQt1::Authority::None);
switch (r) {
@@ -160,21 +160,12 @@ Action::AuthStatus Polkit1Backend::actionStatus(const QString &action)
QByteArray Polkit1Backend::callerID() const
{
- QByteArray a;
- QDataStream s(&a, QIODevice::WriteOnly);
- s << QCoreApplication::applicationPid();
-
- return a;
+ return QDBusConnection::systemBus().baseService().toUtf8();
}
bool Polkit1Backend::isCallerAuthorized(const QString &action, QByteArray callerID)
{
- QDataStream s(&callerID, QIODevice::ReadOnly);
- qint64 pid;
-
- s >> pid;
-
- PolkitQt1::UnixProcessSubject subject(pid);
+ PolkitQt1::SystemBusNameSubject subject(QString::fromUtf8(callerID));
PolkitQt1::Authority *authority = PolkitQt1::Authority::instance();
PolkitResultEventLoop e;
--
2.0.1
