From e4d278ff0018c370d6da074cddf766df40f1af07 Mon Sep 17 00:00:00 2001 From: Your Name Date: Tue, 18 Apr 2017 16:33:25 +0000 Subject: [PATCH] - Make `.desktop` match only `.desktop` and not `[wildcard character]desktop` - Remove () from the list of accepted characters (this seemed to be causing trouble, do we need it?) - Remove `%` from the whitelist of allowed characters in .desktop->Exec since the `%` character is interpreted as an escape by the [Desktop Entry specification](https://www.freedesktop.org/wiki/Specifications/desktop-entry-spec/), but not by the `pipes.quote()` function used to escape the string, which allows TemplateVMs to break out of the intended shell escaping. - Change whitespace match for `ignore_rx` to have empty lines from the Desktop Entry files excluded. --- appmenus-scripts/qubes-receive-appmenus | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/appmenus-scripts/qubes-receive-appmenus b/appmenus-scripts/qubes-receive-appmenus index 75aa0b1..d392af3 100755 --- a/appmenus-scripts/qubes-receive-appmenus +++ b/appmenus-scripts/qubes-receive-appmenus @@ -50,7 +50,7 @@ fields_regexp = { "GenericName": std_re, "Comment": std_re, "Categories": re.compile(r"^[a-zA-Z0-9/.;:'() -]*$"), - "Exec": re.compile(r"^[a-zA-Z0-9()_%&>/{}\"'\\:.= -]*$"), + "Exec": re.compile(r"^[a-zA-Z0-9()_&>/{}\"'\\:.= -]*$"), "Icon": re.compile(r"^[a-zA-Z0-9/_.-]*$"), } @@ -142,8 +142,8 @@ def get_appmenus(vm): appmenus = {} line_rx = re.compile( - r"([a-zA-Z0-9.()_-]+.desktop):([a-zA-Z0-9-]+(?:\[[a-zA-Z@_]+\])?)=(.*)") - ignore_rx = re.compile(r".*([a-zA-Z0-9._-]+.desktop):(#.*|\s+)$") + r"([a-zA-Z0-9._-]+\.desktop):([a-zA-Z0-9-]+(?:\[[a-zA-Z@_]+\])?)=(.*)") + ignore_rx = re.compile(r".*([a-zA-Z0-9._-]+\.desktop):(#.*|\s*)$") for untrusted_line in untrusted_appmenulist: # Ignore blank lines and comments if len(untrusted_line) == 0 or ignore_rx.match(untrusted_line):