Security issue with .desktop files revisited

Mike Hearn mike at plan99.net
Mon Apr 3 01:44:33 EEST 2006


> But this is only true if the .desktop file is a valid .desktop file, no?

I guess so. I don't know what KDE/GNOME do when given an invalid desktop 
file.

> And if the icon is actually in the theme on the user's system? 

Yes - things like JPEG file, word processor document etc are pretty much 
guaranteed to be there.

> They can't embed their own icons. 

This is what will save us ...

> We can also limit what one can put in the Icon= line, to icons in the Applications
> context.

That was the original proposal. There have been lots of alternatives 
proposed, but can anybody think of a good reason why we shouldn't do 
this? Aaron gave the best IMHO - that there are many "legit" icons a 
malicious file could use that aren't mime icons. Fair point. But, is 
this reasoning strong enough to say we should not do it? I am not sure.

thanks -mike



More information about the xdg mailing list