oss-sec mailing list archives
Re: PCManFM-Qt allows arbitrary files to be opened via the org.freedesktop.FileManager1.ShowFolders method
From: Simon McVittie <smcv () debian org>
Date: Wed, 20 May 2026 11:05:53 +0100
On Tue, 19 May 2026 at 20:33:45 -0400, Aaron Rainbolt wrote:
# next command is run inside the sandbox, which happens to have
# both bash and dbus-send available
dbus-send \
--print-reply \
--session \
--dest=org.freedesktop.FileManager1 \
Note that as discussed in the other recent thread, Flatpak doesn't allow this call by default: it's only allowed because the org.mozilla.firefox app has it as an explicitly-added static permission.
But it's probably possible to reach a similar o.fd.FileManager1 call from sandboxed code indirectly, by asking the OpenURI portal to open a directory, which will try to dispatch it to a file manager.
smcv
Current thread:
- PCManFM-Qt allows arbitrary files to be opened via the org.freedesktop.FileManager1.ShowFolders method Aaron Rainbolt (May 19)
- Re: PCManFM-Qt allows arbitrary files to be opened via the org.freedesktop.FileManager1.ShowFolders method Simon McVittie (May 20)
- Re: PCManFM-Qt allows arbitrary files to be opened via the org.freedesktop.FileManager1.ShowFolders method gabriel . corona (May 20)