beenull/ladybird
1
0
Fork 0
mirror of https://github.com/LadybirdBrowser/ladybird.git synced 2024-11-25 09:00:22 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 7

LibDesktop: Avoid UAF when launching a process with escalation

Browse source 
The value returned by executable() was a temporarily allocated string
which we were holding a view into.
This commit is contained in:
Timothy Flynn 2024-04-03 21:54:44 -04:00 committed by Andreas Kling
parent e57d739705
commit 38ca0f8db9
Notes: sideshowbarker 2024-07-17 18:23:22 +09:00 
Author: https://github.com/trflynn89
Commit: https://github.com/SerenityOS/serenity/commit/38ca0f8db9
Pull-request: https://github.com/SerenityOS/serenity/pull/23830
Reviewed-by: https://github.com/shannonbooth
1 changed files with 8 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
Userland/Libraries/LibDesktop/AppFile.cpp
View file

@ -188,19 +188,22 @@ bool AppFile::spawn_with_escalation(ReadonlySpan<StringView> user_arguments) con
StringView exe;
Vector<StringView, 2> args;
auto executable = AppFile::executable();
// FIXME: These single quotes won't be enough for executables with single quotes in their name.
auto pls_with_executable = ByteString::formatted("/bin/pls '{}'", executable());
auto pls_with_executable = ByteString::formatted("/bin/pls '{}'", executable);
if (run_in_terminal() && !requires_root()) {
exe = "/bin/Terminal"sv;
args = { "-e"sv, executable().view() };
args = { "-e"sv, executable };
} else if (!run_in_terminal() && requires_root()) {
exe = "/bin/Escalator"sv;
args = { executable().view() };
args = { executable };
} else if (run_in_terminal() && requires_root()) {
exe = "/bin/Terminal"sv;
args = { "-e"sv, pls_with_executable.view() };
args = { "-e"sv, pls_with_executable };
} else {
exe = executable().view();
exe = executable;
}
args.extend(Vector(user_arguments));