nevaforget/greetd-moongreet
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: Audit-Findings — Theme-Validierung, locale-unabhängige Tests

Browse Source 
- Theme-Name aus settings.ini gegen Regex validiert (nur [A-Za-z0-9_-]),
  verhindert Path-Traversal über GTK-Theme-Loading (S-05)
- Faillock-Tests nutzen expliziten strings-Parameter statt System-Locale,
  Tests laufen jetzt auch auf EN-Systemen (MAINT-4)
- Test für Path-Traversal im Theme-Namen ergänzt
This commit is contained in:
nevaforget
2026-03-26 12:36:16 +01:00
parent 65d3ba64f9
commit 8b1608f99d
3 changed files with 31 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/moongreet/users.py
+7 -1
View File
@@ -2,9 +2,12 @@
# ABOUTME: Provides User dataclass and helper functions for the greeter UI.
import configparser
import re
from dataclasses import dataclass
from pathlib import Path
VALID_THEME_NAME = re.compile(r"^[A-Za-z0-9_-]+$")
NOLOGIN_SHELLS = {"/usr/sbin/nologin", "/sbin/nologin", "/bin/false", "/usr/bin/nologin"}
MIN_UID = 1000
MAX_UID = 65533
@@ -102,6 +105,9 @@ def get_user_gtk_theme(config_dir: Path | None = None) -> str | None:
return None
if config.has_option("Settings", "gtk-theme-name"):
return config.get("Settings", "gtk-theme-name")
theme = config.get("Settings", "gtk-theme-name")
# Validate against path traversal — only allow safe theme names
if theme and VALID_THEME_NAME.match(theme):
return theme
return None