Comment 0 for bug 306362

Hi,

if I understand everything correctly, there is a bad security bug in dbus:

The default configuration contains the lines
    <allow send_requested_reply="true"/>
    <allow receive_requested_reply="true"/>
with the valid intention to allow all replies to be send without explicit permission. Otherwise, dbus claims to have a default-no policy.

But what happens instead is: When a message is considered for sending, it enters bus_client_policy_check_can_send in policy.c[1]. There, all rules are looked at, but only SEND rules considered (line 893) – the first of the above rules is such a rule. Now we check for various conditions that might occur in such a rule (e.g. destination and the like), but none of these exist besides send_requested_reply. But in line 909 this is only done for messages which are replies. This means that for normal messages, we continue with the code and end up in line 1028, where we set the allowed flag! If no other rule kicks in, this stays allowed until the end.

A proper fix would be to add an else statement to the if in line 909, which calls continue, I think.

I did not adjust the severity or priority, per bug submitting etiquette, but I consider this a major bug.

Thanks,
Joachim

[1] http://gitweb.freedesktop.org/?p=dbus/dbus.git;a=blob;h=caa544e7a4f041e0cc9b250dc8c814a7b06e927b;hb=14afa0564e9eea01d28d4b2fd1e6ac0bfec626e7;f=bus/policy.c#l865