diff options
author | Simon McVittie <simon.mcvittie@collabora.co.uk> | 2013-09-16 14:17:25 +0100 |
---|---|---|
committer | Simon McVittie <simon.mcvittie@collabora.co.uk> | 2013-11-27 15:36:07 +0000 |
commit | 8c388a5d213aa28f5d92a19150a697c5eba5554f (patch) | |
tree | 7cd2c799c50fd41412d96362378394fda834387c /doc/dbus-specification.xml | |
parent | 0fa46f68b8bbd2913ac9620328518fc5f9e16f85 (diff) | |
download | dbus-8c388a5d213aa28f5d92a19150a697c5eba5554f.tar.gz dbus-8c388a5d213aa28f5d92a19150a697c5eba5554f.tar.bz2 dbus-8c388a5d213aa28f5d92a19150a697c5eba5554f.zip |
spec: explicitly mention filtering messages with no INTERFACE
This is an important security measure. Without it, the system bus
would not deliver its intended security properties. The actual
implementation has always behaved like this, I think.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=68597
Reviewed-by: Chengwei Yang <chengwei.yang@intel.com>
Diffstat (limited to 'doc/dbus-specification.xml')
-rw-r--r-- | doc/dbus-specification.xml | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/doc/dbus-specification.xml b/doc/dbus-specification.xml index 865a8bff..629ab10c 100644 --- a/doc/dbus-specification.xml +++ b/doc/dbus-specification.xml @@ -1700,6 +1700,15 @@ message as though it had an arbitrary one of those interfaces. </para> <para> + In some situations (such as the well-known system bus), messages + are filtered through an access-control list external to the + remote object implementation. If that filter rejects certain + messages by matching their interface, or accepts only messages + to specific interfaces, it must also reject messages that have no + <literal>INTERFACE</literal>: otherwise, malicious + applications could use this to bypass the filter. + </para> + <para> Method call messages also include a <literal>PATH</literal> field indicating the object to invoke the method on. If the call is passing through a message bus, the message will also have a |