fix: restrict D-Bus setCurrentReference to navigation references only#1331
Merged
karlkleinpaste merged 1 commit intoJun 19, 2026
Merged
Conversation
The org.xiphos.remote D-Bus service is registered on the session bus with
G_BUS_NAME_OWNER_FLAGS_NONE, so any peer on the user's session bus can call
setCurrentReference(). The handler passed the untrusted reference straight
to main_url_handler() with clicked=TRUE, which not only navigates but also
honours actions that reach the local filesystem or spawn external programs:
- "showStudypad" loads an arbitrary file into the StudyPad editor;
- "showImage" hands a path to an external viewer (xdg-open, etc.);
- any URL matching none of the known schemes falls through to
xiphos_open_default(), which opens an arbitrary URI/file in its default
handler.
A D-Bus policy file cannot meaningfully fix this: the session bus is
per-user, so all peers share the caller's UID and a default-deny policy
would simply disable the remote-control feature for everyone. Instead,
validate the reference at the IPC boundary and accept only navigation
references (sword://, bible://, passagestudy.jsp, xiphos.url) while
rejecting the local-file actions and the open-anything fall-through.
clicked=TRUE is preserved so legitimate navigation still works.
This supersedes the earlier, non-functional approach of shipping an
org.xiphos.remote.conf whose "mandatory" allow rule overrode its "default"
deny (and which was never installed by the build).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The org.xiphos.remote D-Bus service is registered on the session bus
with G_BUS_NAME_OWNER_FLAGS_NONE, so any peer on the user's session
bus can call setCurrentReference(). The handler passed the untrusted
reference straight to main_url_handler() with clicked=TRUE, which not
only navigates but also honours actions that reach the local
filesystem or spawn external programs:
xiphos_open_default(), opening an arbitrary URI/file.
A D-Bus policy file cannot meaningfully fix this: the session bus is
per-user, so all peers share the caller's UID and a default-deny
policy would simply disable the remote-control feature for everyone.
Instead, validate the reference at the IPC boundary and accept only
navigation references (sword://, bible://, passagestudy.jsp,
xiphos.url) while rejecting the local-file actions and the
open-anything fall-through. clicked=TRUE is preserved so legitimate
navigation still works.