diff options
| author | Denys Vlasenko <vda.linux@googlemail.com> | 2010-01-21 02:56:53 +0100 |
|---|---|---|
| committer | Denys Vlasenko <vda.linux@googlemail.com> | 2010-01-21 02:56:53 +0100 |
| commit | 6443695f275167adb123070daf2a6b6ecc0bb371 (patch) | |
| tree | e55e9cb7795f3a5fb239793eab60f2320fe11cbc /src/Daemon/CommLayerServerDBus.cpp | |
| parent | f1322558475277ffed7a9c61f4b9478b4dd1d46c (diff) | |
| download | abrt-6443695f275167adb123070daf2a6b6ecc0bb371.tar.gz abrt-6443695f275167adb123070daf2a6b6ecc0bb371.tar.xz abrt-6443695f275167adb123070daf2a6b6ecc0bb371.zip | |
abrtd: fix Report() dbus call gaping security holes
We were blindly trusting the values passed to us
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
Diffstat (limited to 'src/Daemon/CommLayerServerDBus.cpp')
| -rw-r--r-- | src/Daemon/CommLayerServerDBus.cpp | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/src/Daemon/CommLayerServerDBus.cpp b/src/Daemon/CommLayerServerDBus.cpp index ddfbba49..f1f10e50 100644 --- a/src/Daemon/CommLayerServerDBus.cpp +++ b/src/Daemon/CommLayerServerDBus.cpp @@ -190,7 +190,8 @@ static int handle_CreateReport(DBusMessage* call, DBusMessage* reply) } long unix_uid = get_remote_uid(call); - map_crash_data_t report = CreateReport(pUUID, to_string(unix_uid).c_str(), /*force:*/ 0); + map_crash_data_t report; + CreateReport(pUUID, to_string(unix_uid).c_str(), /*force:*/ 0, report); DBusMessageIter out_iter; dbus_message_iter_init_append(reply, &out_iter); @@ -214,9 +215,9 @@ static int handle_Report(DBusMessage* call, DBusMessage* reply) return -1; } - map_crash_data_t::const_iterator it_comment = argin1.find(CD_COMMENT); + map_crash_data_t::const_iterator it_comment = argin1.find(FILENAME_COMMENT); const char* comment = (it_comment != argin1.end()) ? it_comment->second[CD_CONTENT].c_str() : ""; - map_crash_data_t::const_iterator it_reproduce = argin1.find(CD_REPRODUCE); + map_crash_data_t::const_iterator it_reproduce = argin1.find(FILENAME_REPRODUCE); const char* reproduce = (it_reproduce != argin1.end()) ? it_reproduce->second[CD_CONTENT].c_str() : ""; const char* errmsg = NULL; if (strlen(comment) > LIMIT_MESSAGE) |