session: Validate the token for correctness

The token is used as part of an object path so it has to meet those requirements. We can't escape it since the caller presumably expects to use the token as-is so where it fails the validity simply error out. Closes: #1549
flatpak · Jan 10, 2025 · 2d68212 · 2d68212
1 parent 34ff12c
commit 2d68212
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 0 deletions.
diff --git a/src/xdp-session.c b/src/xdp-session.c
@@ -311,6 +311,20 @@ xdp_session_authorize_callback (GDBusInterfaceSkeleton *interface,
   return TRUE;
 }
 
+static gboolean
+is_valid_token(const char *token)
+{
+  int i;
+
+  for (i = 0; token[i]; i++)
+    {
+      if (!g_ascii_isalnum(token[i]) && token[i] != '_')
+        return FALSE;
+    }
+
+  return TRUE;
+}
+
 static gboolean
 xdp_session_initable_init (GInitable     *initable,
                            GCancellable  *cancellable,
@@ -335,6 +349,15 @@ xdp_session_initable_init (GInitable     *initable,
       return FALSE;
     }
 
+  if (!is_valid_token(session->token))
+    {
+      g_set_error (error,
+                   XDG_DESKTOP_PORTAL_ERROR,
+                   XDG_DESKTOP_PORTAL_ERROR_INVALID_ARGUMENT,
+                   "Invalid token '%s'", session->token);
+      return FALSE;
+    }
+
   id = g_strdup_printf ("/org/freedesktop/portal/desktop/session/%s/%s",
                         sender_escaped, session->token);
 

diff --git a/tests/test_remotedesktop.py b/tests/test_remotedesktop.py
@@ -46,6 +46,19 @@ def test_remote_desktop_create_close_session(self, portals, dbus_con):
         session.close()
         xdp.wait_for(lambda: session.closed)
 
+    def test_remote_desktop_create_session_invalid(self, portals, dbus_con):
+        remotedesktop_intf = xdp.get_portal_iface(dbus_con, "RemoteDesktop")
+
+        request = xdp.Request(dbus_con, remotedesktop_intf)
+        options = {"session_handle_token": "Invalid-token&"}
+
+        with pytest.raises(dbus.exceptions.DBusException) as excinfo:
+            request.call("CreateSession", options=options)
+
+        e = excinfo.value
+        assert e.get_dbus_name() == "org.freedesktop.portal.Error.InvalidArgument"
+        assert "Invalid token" in e.get_dbus_message()
+
     @pytest.mark.parametrize(
         "template_params", ({"remotedesktop": {"force-close": 500}},)
     )