Created attachment 8930 prepend XDG_DATA_HOME to desktop thumbnailers directory list Hi, I'm unsure if it's on purpose or not, but it seems that tumbler doesn't support thumbnailers from ~/.local/share/thumbnailers. Looking at the source (https://git.xfce.org/xfce/tumbler/tree/tumblerd/tumbler-manager.c#n1239) the code for loading directories does include XDG_DATA_HOME/thumbnailers (~/.local/share/thumbnailers) but then it's only used for .service file for “specialized thumbnailers” which I'm not sure what they are (https://git.xfce.org/xfce/tumbler/tree/tumblerd/tumbler-manager.c#n1177) since I never saw .service files for thumbnailers. All the “custom” thumbnailers I know about use some kind of .desktop file syntax. Looking at the desktop-thumbnailer plugin, the code for loading them doesn't include XDG_DATA_HOME: https://git.xfce.org/xfce/tumbler/tree/plugins/desktop-thumbnailer/desktop-thumbnailer-provider.c#n240 Since it might be an oversight, I'm attaching a patch, which I'll also include in Debian.
I dont know tumbler internals, though it looks reasonable to me to as well load thumbnailers from ~/.local/share/thumbnailers
I cannot image how that could be an attack vector. Even if tumblerd can run as root in some cases, than the XDG_DATA_HOME of root would be used .. so I guess nothing to gain by exploiting formats. Sadly I dont know that much about thumbler and/or its security concept. I as well never heard of these service files ... they seem to be separate dbus services: https://wiki.gnome.org/DraftSpecs/ThumbnailerSpec#Service_name_of_a_specialized_thumbnailer Regarding functionallity, it should not change much. Already now it is possible to have multiple thumbnailer directories (Though I guess currently almost nobody has multiple XDG_DATA_DIRS) If you have push access, I would be fine with having your patch pushed.
Well, tumbler can certainly be used to exploit vulnerabilities in thumbnailers, and running the thumbnailers sandboxed would be a really good idea (like proposed in #14626). The feature proposed here could somehow extend the attack surface, but if an attacker can drop a new thumbnailer .desktop in ~/.local/share/thumbnailers he already has some privileges. Also he could as well drop a .service file there, which are apparently already supported. About XDG_DATA_DIRS, here I have multiple of them, at least /usr/share/xfce:/usr/local/share:/usr/share. Flatpaks apparently add some to the list as well.
Patch work fine for me. Tested to put the same thumbnailer twice, in both directories. Works without trouble. I'll just push the patch to master
Yves-Alexis Perez referenced this bugreport in commit d4e7075401b6ef60cf1f015a488cf4b573f9b8dd prepend $XDG_DATA_HOME/thumbnailers/ to thumbnailers directory (Bug #15858) https://git.xfce.org/xfce/tumbler/commit?id=d4e7075401b6ef60cf1f015a488cf4b573f9b8dd
- Closed - Thanks for the patch by the way ! :)
Thanks!