Disabling new D-Bus protocol features by default

Marcel Holtmann marcel at holtmann.org
Tue Nov 9 07:01:07 PST 2010 

Hi Thiago,

> > > Maybe so, but that's not what we've done. Right now, we trust the daemon
> > > and it does have logic to not send the new types. And on the client
> > > side, the behaviour on seeing new things is to disconnect. Before we
> > > talk about removing the daemon safeties, we need to fix the clients.
> > > 
> > > I'm simply moving the control of the negotiation logic to the public.
> > 
> > so how does a client sees the new types if it has to negotiate the
> > support in the first place. I think the behavior of the client is
> > actually correct. It gets unexpected data and decides to just
> > disconnect.
> 
> The point is that, if the client isn't modified to tell the library that it 
> knows about the new types, the library will not negotiate the new feature with 
> the bus server. In turn, the bus server will not send the new types over the 
> connection.

and what is wrong with that. That seems to me the right approach. The
server can just send an error back for such a message.

> > What are you trying to fix here?
> 
> The library giving bindings the new types without those bindings or apps 
> knowing about them.

That is a bug in the bindings. And seems to be only affecting the
bindings that are using libdbus-1. So these bindings are clearly broken
and need to be fixed.

Also what is this disconnect you are talking about? libdbus-1 knows this
type since it negotiated it. So worst case that happens that the binding
or application can't understand that message.

> > > You're asking that we fix all applications and all bindings that made the
> > > assumption that they knew all types possible. You're also asking that no
> > > one use an old, bundled version of libdbus-1.
> > 
> > If a binding made the assumption it knew all data types, then that
> > binding has an issue already right now. In the end D-Bus is a wire
> > protocol and you have to treat it like that and handle unspecified data
> > types.
> 
> You see, the library ALSO made that assumption. That's why it disconnects when 
> it receives an unknown new type. The wire protocol doesn't have any extension 
> mechanism, it's simply impossible to handle a new type gracefully. That's why 
> features had to be negotiated out of band,
> 
> Up until D-Bus 1.2 it was a safe assumption that there would be no new types, 
> because we hadn't found a way to extend the type system. Applications could 
> rely on the low-level library not giving them anything that they didn't know.
> 
> Now they can't. We're pulling the rug under these applications, some of which 
> are quite sensitive, due to the system bus.
> 
> If you guys don't think this is serious, I'll wash my hands...

I am still not following you. So on one hand you say that the daemon
does not forward the message to the client if that type is not
negotiated. And the client disconnects as a safe-guard if it gets its
anyway.

So at what point can you send a message with FD passing type to a client
without FD passing and something bad happens to the remote application?
Would it just return an error to the initial caller in that case?

Or is this just an artificial case for bindings using libdbus-1 and they
are not updated to understand or handle unknown types. From what I am
reading is that libdbus-1 and dbus-daemon does actually protect you from
this.

> > > If we don't apply this fix, then I think we must *immediately* make
> > > libdbus-1 stop disconnecting when it receives new types from the bus. We
> > > can't have both.
> > 
> > How can libdbus-1 receive that unknown data type in the first place if
> > it has not negotiated the support for it? Am I missing something obvious
> > right now? Who is actually disconnecting who?
> 
> Point taken, I don't think this is necessary.

I think this is not actually a libdbus-1 problem as you described it. If
I am getting this right, then it is bindings that use a libdbus-1 that
understands the new types, but the bindings itself don't understand it.

So I don't know how we end up in the condition that libdbus-1
disconnects us from the bus. Since that should not happen. And if that
happens then the dbus-daemon did something wrong.

What I am thinking is that the bindings need to be extended to deal with
the fact of unknown types from libdbus-1 (if they use libdbus-1) and
then either return an error or something.

Regards

Marcel

More information about the dbus mailing list