summaryrefslogtreecommitdiff
path: root/doc/dbus-specification.xml
diff options
context:
space:
mode:
authorSimon McVittie <simon.mcvittie@collabora.co.uk>2013-09-16 14:17:25 +0100
committerSimon McVittie <simon.mcvittie@collabora.co.uk>2013-11-27 15:36:07 +0000
commit8c388a5d213aa28f5d92a19150a697c5eba5554f (patch)
tree7cd2c799c50fd41412d96362378394fda834387c /doc/dbus-specification.xml
parent0fa46f68b8bbd2913ac9620328518fc5f9e16f85 (diff)
downloaddbus-8c388a5d213aa28f5d92a19150a697c5eba5554f.tar.gz
dbus-8c388a5d213aa28f5d92a19150a697c5eba5554f.tar.bz2
dbus-8c388a5d213aa28f5d92a19150a697c5eba5554f.zip
spec: explicitly mention filtering messages with no INTERFACE
This is an important security measure. Without it, the system bus would not deliver its intended security properties. The actual implementation has always behaved like this, I think. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=68597 Reviewed-by: Chengwei Yang <chengwei.yang@intel.com>
Diffstat (limited to 'doc/dbus-specification.xml')
-rw-r--r--doc/dbus-specification.xml9
1 files changed, 9 insertions, 0 deletions
diff --git a/doc/dbus-specification.xml b/doc/dbus-specification.xml
index 865a8bff..629ab10c 100644
--- a/doc/dbus-specification.xml
+++ b/doc/dbus-specification.xml
@@ -1700,6 +1700,15 @@
message as though it had an arbitrary one of those interfaces.
</para>
<para>
+ In some situations (such as the well-known system bus), messages
+ are filtered through an access-control list external to the
+ remote object implementation. If that filter rejects certain
+ messages by matching their interface, or accepts only messages
+ to specific interfaces, it must also reject messages that have no
+ <literal>INTERFACE</literal>: otherwise, malicious
+ applications could use this to bypass the filter.
+ </para>
+ <para>
Method call messages also include a <literal>PATH</literal> field
indicating the object to invoke the method on. If the call is passing
through a message bus, the message will also have a