fix: audit fixes — blur offset, lock-before-IO, FP signal lifecycle, TOCTOU (v0.6.6)
Update PKGBUILD version / update-pkgver (push) Successful in 2s
Update PKGBUILD version / update-pkgver (push) Successful in 2s
Third triple audit (quality, performance, security). Key fixes: - Blur padding offset: texture at (-pad,-pad) prevents edge darkening on all sides - Wallpaper loads after lock.lock() — disk I/O no longer delays lock acquisition - begin_verification disconnects old signal handler before registering new one - resume_async resets failed_attempts to prevent premature exhaustion - Unknown VerifyStatus with done=true triggers restart instead of hanging - symlink_metadata() replaces separate is_file()+is_symlink() (TOCTOU) - faillock_warning dead code removed, blur sigma clamped to [0,100] - Redundant Zeroizing<Vec<u8>> removed, on_verify_status restricted to pub(crate) - Warn logging for non-UTF-8 GECOS and avatar path errors - Default impl for FingerprintListener, 3 new tests (47 total)
This commit is contained in:
+11
-8
@@ -40,16 +40,14 @@ fn activate(app: >k::Application) {
|
||||
load_css(&display);
|
||||
|
||||
let config = config::load_config(None);
|
||||
let bg_texture = config::resolve_background_path(&config)
|
||||
.and_then(|path| lockscreen::load_background_texture(&path));
|
||||
|
||||
if gtk4_session_lock::is_supported() {
|
||||
activate_with_session_lock(app, &display, bg_texture.as_ref(), &config);
|
||||
activate_with_session_lock(app, &display, &config);
|
||||
} else {
|
||||
#[cfg(debug_assertions)]
|
||||
{
|
||||
log::warn!("ext-session-lock-v1 not supported — running in development mode");
|
||||
activate_without_lock(app, bg_texture.as_ref(), &config);
|
||||
activate_without_lock(app, &config);
|
||||
}
|
||||
#[cfg(not(debug_assertions))]
|
||||
{
|
||||
@@ -62,12 +60,15 @@ fn activate(app: >k::Application) {
|
||||
fn activate_with_session_lock(
|
||||
app: >k::Application,
|
||||
display: &gdk::Display,
|
||||
bg_texture: Option<&gdk::Texture>,
|
||||
config: &config::Config,
|
||||
) {
|
||||
let lock = gtk4_session_lock::Instance::new();
|
||||
lock.lock();
|
||||
|
||||
// Load wallpaper AFTER lock — disk I/O must not delay the lock acquisition
|
||||
let bg_texture = config::resolve_background_path(config)
|
||||
.and_then(|path| lockscreen::load_background_texture(&path));
|
||||
|
||||
let monitors = display.monitors();
|
||||
|
||||
// Shared unlock callback — unlocks session and quits.
|
||||
@@ -99,7 +100,7 @@ fn activate_with_session_lock(
|
||||
.and_then(|obj| obj.downcast::<gdk::Monitor>().ok())
|
||||
{
|
||||
let handles = lockscreen::create_lockscreen_window(
|
||||
bg_texture,
|
||||
bg_texture.as_ref(),
|
||||
config,
|
||||
app,
|
||||
unlock_callback.clone(),
|
||||
@@ -158,9 +159,11 @@ fn init_fingerprint_async(all_handles: Vec<lockscreen::LockscreenHandles>) {
|
||||
#[cfg(debug_assertions)]
|
||||
fn activate_without_lock(
|
||||
app: >k::Application,
|
||||
bg_texture: Option<&gdk::Texture>,
|
||||
config: &config::Config,
|
||||
) {
|
||||
let bg_texture = config::resolve_background_path(config)
|
||||
.and_then(|path| lockscreen::load_background_texture(&path));
|
||||
|
||||
let app_clone = app.clone();
|
||||
let unlock_callback: Rc<dyn Fn()> = Rc::new(move || {
|
||||
app_clone.quit();
|
||||
@@ -169,7 +172,7 @@ fn activate_without_lock(
|
||||
let blur_cache = Rc::new(RefCell::new(None));
|
||||
let avatar_cache = Rc::new(RefCell::new(None));
|
||||
let handles = lockscreen::create_lockscreen_window(
|
||||
bg_texture,
|
||||
bg_texture.as_ref(),
|
||||
config,
|
||||
app,
|
||||
unlock_callback,
|
||||
|
||||
Reference in New Issue
Block a user