Security issue with .desktop files revisited
Mike Hearn
mike at plan99.net
Mon Apr 3 01:44:33 EEST 2006
> But this is only true if the .desktop file is a valid .desktop file, no?
I guess so. I don't know what KDE/GNOME do when given an invalid desktop
file.
> And if the icon is actually in the theme on the user's system?
Yes - things like JPEG file, word processor document etc are pretty much
guaranteed to be there.
> They can't embed their own icons.
This is what will save us ...
> We can also limit what one can put in the Icon= line, to icons in the Applications
> context.
That was the original proposal. There have been lots of alternatives
proposed, but can anybody think of a good reason why we shouldn't do
this? Aaron gave the best IMHO - that there are many "legit" icons a
malicious file could use that aren't mime icons. Fair point. But, is
this reasoning strong enough to say we should not do it? I am not sure.
thanks -mike
More information about the xdg
mailing list