[Bug 1580223] [NEW] 'gdbus call' can't handle arguments containing '&' (XML escaping failure) failure

Dirk F 1580223 at bugs.launchpad.net
Tue May 10 15:12:33 UTC 2016 

Public bug reported:

When gdbus is used with the call subcommand, string arguments passed to
the called method that contain the character '&' are treated as empty
"". Presumably this also affects the emit subcommand.

The problem appears to be that internally the arguments are processed as
XML but not safely escaped, as shown in the tests below.

>From the gdbus man page, try this example:

gdbus call --session --dest org.freedesktop.Notifications \
           --object-path /org/freedesktop/Notifications \
           --method org.freedesktop.Notifications.Notify \
           my_app_name \
           42 \
           gtk-dialog-info \
           "The Summary" \
           "Here's the body of the notification" \
           [] {} 5000

A notification is displayed with the information icon, the summary and
the body.

Now try

gdbus call --session --dest org.freedesktop.Notifications \
           --object-path /org/freedesktop/Notifications \
           --method org.freedesktop.Notifications.Notify \
           my_app_name \
           42 \
           gtk-dialog-info \
           "The Summary" \
           "Here's the body containing '&' of the notification" \
           [] {} 5000

A notification is displayed with the information icon, the summary and
*no* body.

Now try

gdbus call --session --dest org.freedesktop.Notifications \
           --object-path /org/freedesktop/Notifications \
           --method org.freedesktop.Notifications.Notify \
           my_app_name \
           42 \
           gtk-dialog-info \
           "The Summary" \
           "Here's the body containing '&' of the notification" \
           [] {} 5000

A notification is displayed with the information icon, the summary and
this body

"Here's the body containing '&' of the notification"

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: libglib2.0-bin 2.40.2-0ubuntu1
ProcVersionSignature: Ubuntu 4.2.0-36.41~14.04.1-generic 4.2.8-ckt8
Uname: Linux 4.2.0-36-generic i686
ApportVersion: 2.14.1-0ubuntu3.20
Architecture: i386
CurrentDesktop: LXDE
Date: Tue May 10 15:56:44 2016
InstallationDate: Installed on 2016-02-21 (78 days ago)
InstallationMedia: Lubuntu 14.04.4 LTS "Trusty Tahr" - Release i386 (20160217.1)
SourcePackage: glib2.0
UpgradeStatus: No upgrade log present (probably fresh install)

** Affects: glib2.0 (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: apport-bug i386 trusty

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to glib2.0 in Ubuntu.
https://bugs.launchpad.net/bugs/1580223

Title:
  'gdbus call' can't handle arguments containing '&' (XML escaping
  failure) failure

Status in glib2.0 package in Ubuntu:
  New

Bug description:
  When gdbus is used with the call subcommand, string arguments passed
  to the called method that contain the character '&' are treated as
  empty "". Presumably this also affects the emit subcommand.

  The problem appears to be that internally the arguments are processed
  as XML but not safely escaped, as shown in the tests below.

  From the gdbus man page, try this example:

  gdbus call --session --dest org.freedesktop.Notifications \
             --object-path /org/freedesktop/Notifications \
             --method org.freedesktop.Notifications.Notify \
             my_app_name \
             42 \
             gtk-dialog-info \
             "The Summary" \
             "Here's the body of the notification" \
             [] {} 5000

  A notification is displayed with the information icon, the summary and
  the body.

  Now try

  gdbus call --session --dest org.freedesktop.Notifications \
             --object-path /org/freedesktop/Notifications \
             --method org.freedesktop.Notifications.Notify \
             my_app_name \
             42 \
             gtk-dialog-info \
             "The Summary" \
             "Here's the body containing '&' of the notification" \
             [] {} 5000

  A notification is displayed with the information icon, the summary and
  *no* body.

  Now try

  gdbus call --session --dest org.freedesktop.Notifications \
             --object-path /org/freedesktop/Notifications \
             --method org.freedesktop.Notifications.Notify \
             my_app_name \
             42 \
             gtk-dialog-info \
             "The Summary" \
             "Here's the body containing '&' of the notification" \
             [] {} 5000

  A notification is displayed with the information icon, the summary and
  this body

  "Here's the body containing '&' of the notification"

  ProblemType: Bug
  DistroRelease: Ubuntu 14.04
  Package: libglib2.0-bin 2.40.2-0ubuntu1
  ProcVersionSignature: Ubuntu 4.2.0-36.41~14.04.1-generic 4.2.8-ckt8
  Uname: Linux 4.2.0-36-generic i686
  ApportVersion: 2.14.1-0ubuntu3.20
  Architecture: i386
  CurrentDesktop: LXDE
  Date: Tue May 10 15:56:44 2016
  InstallationDate: Installed on 2016-02-21 (78 days ago)
  InstallationMedia: Lubuntu 14.04.4 LTS "Trusty Tahr" - Release i386 (20160217.1)
  SourcePackage: glib2.0
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glib2.0/+bug/1580223/+subscriptions

More information about the foundations-bugs mailing list