Add "--" to separate options from (untrusted) non-options arguments

This will prevent passing an option instead of command (qvm-run) / domain name (qrexec-policy). In both cases when VM tries to pass some option it would fail because missing argument then - VM can not pass additional arguments, so if one act as an option, one argument will be missing).
9 years ago · d031126737
parent 4449d51d98
commit d031126737
2 changed files with 2 additions and 2 deletions
--- a/appmenus-scripts/qubes-receive-appmenus
+++ b/appmenus-scripts/qubes-receive-appmenus
@ -207,7 +207,7 @@ def create_template(path, values):
        if values.has_key(key):
            desktop_file.write("{0}={1}\n".format(key, values[key]))

-    desktop_file.write("Exec=qvm-run -q --tray -a %VMNAME% {0}\n".format(pipes.quote(values['Exec'])))
+    desktop_file.write("Exec=qvm-run -q --tray -a %VMNAME% -- {0}\n".format(pipes.quote(values['Exec'])))
    desktop_file.close()


--- a/qrexec/qrexec-daemon.c
+++ b/qrexec/qrexec-daemon.c
@ -674,7 +674,7 @@ static void handle_execute_service(void)
    signal(SIGPIPE, SIG_DFL);
    snprintf(remote_domain_id_str, sizeof(remote_domain_id_str), "%d",
            remote_domain_id);
-    execl("/usr/lib/qubes/qrexec-policy", "qrexec-policy",
+    execl("/usr/lib/qubes/qrexec-policy", "qrexec-policy", "--",
            remote_domain_id_str, remote_domain_name, params.target_domain,
            params.service_name, params.request_id.ident, NULL);
    perror("execl");