Open elinorbgr opened 5 years ago
Regarding the first point, IIRC clients I've seen in the wild use the latest serial (not the wl_keyboard.enter
serial). The protocol says: "serial number of the event that triggered this request" so I think this is correct behaviour.
Regarding the second one, currently wlroots only uses (weak) serial validation for protecting against race conditions and not as a security mechanism. Of course, I agree this should be fixed too. This probably requires to have a ring buffer of valid serials for each client?
Note that all of this also applies to Weston, which has a similar serial validation mechanism. Not sure about other compositors.
Noted about the first point, I was not sure what to think about it.
About the second, a possibility would be to only allow setting the selection if the client currently has keyboard focus, and resetting the selection_serial
of a seat whenever the keyboard focus change.
I suppose races can be mitigated by keeping the previous selection_serial
as well. This is obviously not as robust as keeping track of all valid serials, though.
We still need to have a global selection_serial
to prevent races between clients.
One thing we could do to protect against malicious clients is checking serial <= wl_display_get_serial()
.
On sway 1.0 release.
The serials provided by clients when they issue a
wl_data_device.set_selection
call are apparently not validated other than checking that they are strictly greater than the previous one. This has two consequences:wl_keyboard.enter
). This serial will be accepted by sway, and it will make all other clients unable to set the selection (as their serial is too small).These issues were discovered with the help of @trimental, while working on https://github.com/smithay/smithay-clipboard