Security issue with .desktop files revisited

Bastian, Waldo waldo.bastian at intel.com
Tue Apr 11 03:34:30 EEST 2006 

A viable strategy would be to start creating .desktop files with +x set
and a #!/usr/bin/xdg-open line now and then to wait a while before
environments actually start requiring it. In the meantime there could be
some config setting that people/distributions can use to enable it
before that time.

Waldo Bastian
Linux Client Architect - Client Linux Foundation Technology
Channel Platform Solutions Group
Intel Corporation - http://www.intel.com/go/linux
OSDL DTL Tech Board Chairman

>-----Original Message-----
>From: xdg-bounces at lists.freedesktop.org [mailto:xdg-
>bounces at lists.freedesktop.org] On Behalf Of Thomas Leonard
>Sent: Monday, April 10, 2006 1:27 PM
>To: xdg at lists.freedesktop.org
>Subject: Re: Security issue with .desktop files revisited
>
>On Mon, 10 Apr 2006 04:58:28 -0700, Sam Watkins wrote:
>
>> Waldo Bastian wrote:
>>> I think it's a sane idea to require +x on .desktop files in order
for a
>file
>>> browser or "Desktop" to execute the .desktop file. It shouldn't be
too
>much
>>> of a problem to add a #!/usr/bin/xdg-open line to the format either,
>although
>>> it my take a while before applications actually start to add that.
>>
>> Thank-you very much for the encouragement Waldo :)
>>
>> I'll have a go at implementing my proposal soon, God willing.
>>
>> If anyone knows of particular bits of gnome, kde and xfce that are
>> responsible for executing, creating and editing .desktop files,
>> would you please let me know to save me having to hunt around?
>>
>> Also do you know of any other environments, utilities, etc. out there
>> that use, create or manipulate .desktop files?  Maybe there's a list
>> somewhere?
>
>Well, in ROX-Filer diritem.c, delete this:
>
>	else if (item->mime_type == application_x_desktop)
>	{
>		item->flags |= ITEM_FLAG_EXEC_FILE;
>	}
>
>But, I doubt you'll have much success getting patches applied until
>*after* .desktop files come with +x by default ;-)
>
>
>--
>Dr Thomas Leonard		http://rox.sourceforge.net
>GPG: 9242 9807 C985 3C07 44A6  8B9A AE07 8280 59A5 3CC1
>
>
>_______________________________________________
>xdg mailing list
>xdg at lists.freedesktop.org
>http://lists.freedesktop.org/mailman/listinfo/xdg

More information about the xdg mailing list