Security issue with .desktop files revisited

Rodney Dawes dobey at
Sun Apr 2 17:43:28 EEST 2006

On Sun, 2006-04-02 at 00:17 +0100, Mike Hearn wrote:
> On Tue, 28 Mar 2006 23:59:11 -0500, Rodney Dawes wrote:
> > The current "solution" in nautilus really sucks, and won't let me even
> > open valid files, where the extension disagrees with the data mime type
> > discovery.
> That's a different (but related) issue, where a file extension does not
> match what the file contents says it is.
> This issue is that .desktop files are treated specially by the desktops,
> and can choose their own name and icon. It doesn't matter what is done
> with MIME typing or anything else - it will not affect desktop files
> without a change in the spec or implementation.

But this is only true if the .desktop file is a valid .desktop file, no?
And if the icon is actually in the theme on the user's system? They
can't embed their own icons. And as I said in another part of my mail,
we should limit what one can put in the Exec= line. We can also limit
what one can put in the Icon= line, to icons in the Applications
context. While the names in this context are more freeform, the intent
is that the icon names match the binary name of the application, unless
it is a generic desktop application, such as "calculator", which we are
speccing out in the Icon Naming Spec. 

-- dobey

More information about the xdg mailing list