Ubuntu
gnome-shell package

Uninstalling extensions dereferences symlinks, risking data loss

Bug #1998529 reported by Drew R.
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
GNOME Shell
Fix Released
Unknown
gnome-shell (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Uninstalling a gnome-shell extension removes its folder in ".local/share/gnome-shell/extensions", recursively as it should, but dereferencing symlinks!! Here is what happens and how to reproduce:

Someone (me) installs an extension to try it out. While tweaking with its configuration, to try to customize it, I put a symlink within its extensions directory, pointing to somewhere else in my home folder. For example, in my case, a symlink to "~/Pictures/Icons", to be able to set it up with one of many custom icons I've created. Uninstall the extension later as it's not to my liking, extensions folder is gone, as well as my ~/Pictures/Icons folder's contents in my home directory. This could have been a lot worse, if the symlink was pointing higher up, since its doing a recursive delete.

In this case, extension was installed as well as removed from the gnome-extensions website. Usually I install from website, but uninstall from extensions manager. Do not know if it happens with extensions manager as well.

Please fix this, because I was frankly shocked that this happened, and could lead to very bad things (I've never seen a rm -rf follow symlinks, and wouldn't even want to know what flag would do that and why you would want that).

What would expect to happen: A simple rm -rf recursive, non-dereferencing removal of extensions directory.

What happened instead: A recursive removal, dereferencing symlinks, which can lead anywhere, and be very dangerous. Symlinks may have been placed in there if someone was working on or tweaking an extension.

Description: Ubuntu 22.04.1 LTS
Release: 22.04
gnome-shell 42.5
chrome-gnome-shell 10.1

Daniel van Vugt (vanvugt)
tags: added: jammy
Bug Watch Updater (bug-watch-updater)
Changed in gnome-shell:
status: Unknown → New
Bug Watch Updater (bug-watch-updater)
Changed in gnome-shell:
status: New → Fix Released
Daniel van Vugt (vanvugt)
Changed in gnome-shell (Ubuntu):
status: New → Fix Committed
tags: added: fixed-in-gnome-shell-44 fixed-upstream
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (6.9 KiB)

This bug was fixed in the package gnome-shell - 44~beta-1ubuntu1

---------------
gnome-shell (44~beta-1ubuntu1) lunar; urgency=medium

  [ Jeremy Bicha ]
  * Merge with Debian, containing new upstream release:
    - Do not deference symlinks when uninstalling an extension (LP: #1998529)
  * Remaining changes with debian:
    - Add some Recommends:
      + ubuntu-session (| gnome-session) to have the ubuntu session available
      + ubuntu-wallpapers
      + xserver-xorg-legacy
      + yaru-theme-gnome-shell for the default ubuntu theming
    - Move some Recommends to Suggests:
      + chrome-gnome-shell
      + gnome-backgrounds
    - Update debian/gbp.conf with Ubuntu settings
    - debian/ubuntu-session-mods/ubuntu.json: Use Yaru's gnome-shell icons
    - debian/patches: Do not hang & crash if fingerprint service fails to start
      (LP: #1962566)
    - ubuntu/desktop_detect.patch:
      + add caching for desktop detection to avoid querying the current
        desktop env variable as iterate through the list each time. For the
        time of the Shell process, we can expect this env variable to stay
        stable.
    - ubuntu/lightdm-user-switching.patch:
      + Allow user switching when using LightDM.
    - ubuntu/lock_on_suspend.patch
      + Respect Ubuntu's lock-on-suspend setting.
    - ubuntu/background_login.patch
      + Change default background color as we modified the default GDM color
        for our ubuntu session.
    - ubuntu/gdm_alternatives.patch
      + Add support for GDM3 theme alternatives
    - main-show-an-error-message-on-gnome-shell-crash.patch,
      global-make-possible-to-set-debug-flags-dynamically.patch,
      main-increase-the-granularity-of-backtraces-in-SHELL_DEBU.patch,
      main-add-backtrace-crashes-all-and-backtrace-all.patch,
      sessionMode-add-support-for-debugFlags-parameter.patch:
      + Improve debug JS tracing for crash reports
    - ubuntu/smarter_alt_tab.patch:
      + quick alt-tab (without showing up the switcher) switch only between
        the last window of the last 2 applications to be focused instead of
        raising all windows of those apps.
    - magnifier-Show-cursor-when-magnifier-is-enabled-and-scale.patch:
      + Show monitor scaled cursor when magnifier is enabled
    - ubuntu/search-call-XUbuntuCancel-method-on-providers-when-no-dat.patch:
      + stop searches when requested from UI
    - magnifier-Show-cursor-when-magnifier-is-enabled-and-scale.patch
    - u/search-call-XUbuntuCancel-method-on-providers-when-no-dat.patch
    - ubuntu/resolve_alternate_theme_path.patch
    - ubuntu/secure_mode_extension.patch
    - ubuntu/keep-ubuntu-logo-bright-lp1867133-v1.patch
    - ubuntu/configure_login_screen.patch
    - ubuntu/layout-Make-starting-in-the-overview-optional.patch:
      + Makes dock replace overview easier
    - ubuntu/layout-Try-to-allocate-before-getting-size-of-tracke.patch:
      + Ensure windows don't get maximized under the panels / dock
    - debian/patches: Compute system background color from theme (LP: #1965727)
    - ubuntu/configure-login-screen.patch: Use bg color for initial system bg
      (LP: #1965727)
    - debian/patches: Ensure St.Entry's `...

Read more...

Changed in gnome-shell (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.