system/serenity
system/serenity
1
0
Fork 0
mirror of https://github.com/SerenityOS/serenity synced 2024-07-23 02:55:15 +00:00
Code Issues Actions 4 Packages Projects Releases Wiki Activity

LibDesktop: Avoid UAF when launching a process with escalation

Browse source 
The value returned by executable() was a temporarily allocated string
which we were holding a view into.
This commit is contained in:
Timothy Flynn 2024-04-03 21:54:44 -04:00 committed by Andreas Kling
parent e57d739705
commit 38ca0f8db9
1 changed files with 8 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
Userland/Libraries/LibDesktop/AppFile.cpp
View file

@ -188,19 +188,22 @@ bool AppFile::spawn_with_escalation(ReadonlySpan<StringView> user_arguments) con
StringView exe;
Vector<StringView, 2> args;
auto executable = AppFile::executable();
// FIXME: These single quotes won't be enough for executables with single quotes in their name.
auto pls_with_executable = ByteString::formatted("/bin/pls '{}'", executable());
auto pls_with_executable = ByteString::formatted("/bin/pls '{}'", executable);
if (run_in_terminal() && !requires_root()) {
exe = "/bin/Terminal"sv;
args = { "-e"sv, executable().view() };
args = { "-e"sv, executable };
} else if (!run_in_terminal() && requires_root()) {
exe = "/bin/Escalator"sv;
args = { executable().view() };
args = { executable };
} else if (run_in_terminal() && requires_root()) {
exe = "/bin/Terminal"sv;
args = { "-e"sv, pls_with_executable.view() };
args = { "-e"sv, pls_with_executable };
} else {
exe = executable().view();
exe = executable;
}
args.extend(Vector(user_arguments));