Security issue with .desktop files revisited
dobey at novell.com
Sun Apr 2 17:43:28 EEST 2006
On Sun, 2006-04-02 at 00:17 +0100, Mike Hearn wrote:
> On Tue, 28 Mar 2006 23:59:11 -0500, Rodney Dawes wrote:
> > The current "solution" in nautilus really sucks, and won't let me even
> > open valid files, where the extension disagrees with the data mime type
> > discovery.
> That's a different (but related) issue, where a file extension does not
> match what the file contents says it is.
> This issue is that .desktop files are treated specially by the desktops,
> and can choose their own name and icon. It doesn't matter what is done
> with MIME typing or anything else - it will not affect desktop files
> without a change in the spec or implementation.
But this is only true if the .desktop file is a valid .desktop file, no?
And if the icon is actually in the theme on the user's system? They
can't embed their own icons. And as I said in another part of my mail,
we should limit what one can put in the Exec= line. We can also limit
what one can put in the Icon= line, to icons in the Applications
context. While the names in this context are more freeform, the intent
is that the icon names match the binary name of the application, unless
it is a generic desktop application, such as "calculator", which we are
speccing out in the Icon Naming Spec.
More information about the xdg