Re: [sugar] [PATCH] 5657: don't install activities in Rainbow's loophole

2008-08-06 Thread Mikus Grinbergs 
> Patch (1) makes sugar registry
> service not add bundles unless they're in ~/Activities.

I don't object to such a patch for 2008.

But I expect that sooner or later there will be hundreds of 
Activities -- they will NOT all fit into ~/Activities.  When that 
happens, "how to still have security" will need to be re-thought.

[What I have in mind is a 'hook-up' facility, which would "add in" 
Activities which reside elsewhere.]


mikus  (this is a "hot button" for me)

___
Sugar mailing list
Sugar@lists.laptop.org
http://lists.laptop.org/listinfo/sugar

[sugar] [PATCH] 5657: don't install activities in Rainbow's loophole (and draft 2 of bigger patch for 9.1)

2008-08-06 Thread Jameson "Chema" Quinn 
attachments, in order:
(1) 0...the  proposed patch to sugar
(2) suga..9.1  sugar part of a draft patch for 9.1, only read it if you're
interested, scarcely tested.
(3) 0...s-l   proposed patch for sugar-toolkit
(4) tool...9.1  the sugar-toolkit part of the draft 9.1 patch
(5) 0...fixes   some minor pylint cleanup to sugar, to be applied after
patch 1 above.

So, the important parts here are (1) and (3). Patch (1) makes sugar registry
service not add bundles unless they're in ~/Activities. (The registry can
add such bundles, but the service will refuse to). Patch (3) makes
activitybundle.py refuse to install loopholed activities unless called with
securitycheck=False.
From 4db7faf72edc7eaa2aa4631a98aa29819f2e5ec8 Mon Sep 17 00:00:00 2001
From: Jameson Quinn <[EMAIL PROTECTED]>
Date: Mon, 4 Aug 2008 19:17:11 -0600
Subject: [PATCH] bug #5657 - don't add bundles to registry unless they're in ~/Activities

---
 service/bundleregistry.py |7 +--
 1 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/service/bundleregistry.py b/service/bundleregistry.py
index e7c30a8..5d3fec8 100644
--- a/service/bundleregistry.py
+++ b/service/bundleregistry.py
@@ -174,12 +174,15 @@ class BundleRegistry(gobject.GObject):
 bundle_dirs.sort(lambda d1, d2: cmp(bundles[d1], bundles[d2]))
 for folder in bundle_dirs:
 try:
-self.add_bundle(folder)
+self.add_bundle(folder, securitycheck=False)
 except Exception, e:
 logging.error('Error while processing installed activity ' \
   'bundle: %s, %s, %s' % (folder, e.__class__, e))
 
-def add_bundle(self, bundle_path):
+def add_bundle(self, bundle_path, securitycheck=True):
+if securitycheck and not bundle_path.startswith(
+os.path.expanduser("~/Activities")):
+return False
 try:
 bundle = ActivityBundle(bundle_path)
 except MalformedBundleException:
-- 
1.5.2.5

diff --git a/service/activityregistryservice.py b/service/activityregistryservice.py
index 6ba5598..7b3415a 100644
--- a/service/activityregistryservice.py
+++ b/service/activityregistryservice.py
@@ -24,6 +24,11 @@ _ACTIVITY_REGISTRY_SERVICE_NAME = 'org.laptop.ActivityRegistry'
 _ACTIVITY_REGISTRY_IFACE = 'org.laptop.ActivityRegistry'
 _ACTIVITY_REGISTRY_PATH = '/org/laptop/ActivityRegistry'
 
+def log_it(s):
+f = file("/home/chema/.sugar/default/logs/hardcoded","ab")
+f.write(s+"\n")
+f.close()
+
 class ActivityRegistry(dbus.service.Object):
 def __init__(self):
 bus = dbus.SessionBus()
@@ -64,11 +69,8 @@ class ActivityRegistry(dbus.service.Object):
 @dbus.service.method(_ACTIVITY_REGISTRY_IFACE,
  in_signature='', out_signature='aa{sv}')
 def GetActivities(self):
-result = []
 registry = bundleregistry.get_registry()
-for bundle in registry:
-result.append(self._bundle_to_dict(bundle))
-return result
+return (bundle for bundle in registry)
 
 @dbus.service.method(_ACTIVITY_REGISTRY_IFACE,
  in_signature='s', out_signature='a{sv}')
@@ -78,7 +80,8 @@ class ActivityRegistry(dbus.service.Object):
 if not bundle:
 return {}
 
-return self._bundle_to_dict(bundle)
+log_it("service about to return "+str(bundle))
+return bundle
 
 @dbus.service.method(_ACTIVITY_REGISTRY_IFACE,
  in_signature='s', out_signature='aa{sv}')
@@ -90,18 +93,15 @@ class ActivityRegistry(dbus.service.Object):
 name = bundle.get_name().lower()
 bundle_id = bundle.get_bundle_id().lower()
 if name.find(key) != -1 or bundle_id.find(key) != -1:
-result.append(self._bundle_to_dict(bundle))
+result.append(bundle)
 
 return result
 
 @dbus.service.method(_ACTIVITY_REGISTRY_IFACE,
  in_signature='s', out_signature='aa{sv}')
 def GetActivitiesForType(self, mime_type):
-result = []
 registry = bundleregistry.get_registry()
-for bundle in registry.get_activities_for_type(mime_type):
-result.append(self._bundle_to_dict(bundle))
-return result
+return registry.get_activities_for_type(mime_type)
 
 @dbus.service.method(_ACTIVITY_REGISTRY_IFACE,
  in_signature='sib', out_signature='')
@@ -127,32 +127,14 @@ class ActivityRegistry(dbus.service.Object):
 def ActivityChanged(self, activity_info):
 pass
 
-def _bundle_to_dict(self, bundle):
-registry = bundleregistry.get_registry()
-favorite = registry.is_bundle_favorite(bundle.get_bundle_id(),
-   bundle.get_activity_version())
-x, y = registry.get_bundle_position(bundle.get_bundle_id(),
-bu