Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <ag2Hgd1x2yLaVikw@definition.pseudorandom.co.uk>
Date: Wed, 20 May 2026 11:05:53 +0100
From: Simon McVittie <smcv@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: PCManFM-Qt allows arbitrary files to be opened
 via the org.freedesktop.FileManager1.ShowFolders method

On Tue, 19 May 2026 at 20:33:45 -0400, Aaron Rainbolt wrote:
>    # next command is run inside the sandbox, which happens to have
>    # both bash and dbus-send available
>    dbus-send \
>      --print-reply \
>      --session \
>      --dest=org.freedesktop.FileManager1 \

Note that as discussed in the other recent thread, Flatpak doesn't allow 
this call by default: it's only allowed because the org.mozilla.firefox 
app has it as an explicitly-added static permission.

But it's probably possible to reach a similar o.fd.FileManager1 call 
from sandboxed code indirectly, by asking the OpenURI portal to open a 
directory, which will try to dispatch it to a file manager.

     smcv

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.