.desktop files, serious security hole, virus-friendliness

Thiago Macieira thiago at kde.org
Tue Apr 4 02:06:53 EEST 2006


Mike Hearn wrote:
>The discussion also was started NOT because .desktop files ignore the +x
>bit which is quite a trivial issue imho, but because they can make
>themselves appear to be absolutely anything you want, including files
> that are "safe" to open like image/document files, when in fact they
> are programs.
>
>This kind of two-facedness has been exploited in the past, and _that_ is
>the real issue here.

In my opinion, it's the combination of both that makes this issue a 
threat.

Currently, any shell script run can do anything. But you know it's a 
shell-script, so you won't run it (except in accidents).

If it could only make itself show up as anything, but when opened it 
triggered the text editor in all cases, it would be inoffensive. At most, 
it would be annoying and confusing, but not dangerous.

-- 
Thiago Macieira  -  thiago (AT) macieira.info - thiago (AT) kde.org
  thiago.macieira (AT) trolltech.com     Trolltech AS
    GPG: 0x6EF45358                   |  Sandakerveien 116,
    E067 918B B660 DBD1 105C          |  NO-0402
    966C 33F5 F005 6EF4 5358          |  Oslo, Norway
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: not available
Url : http://lists.freedesktop.org/archives/xdg/attachments/20060404/31ae04f0/attachment.pgp 


More information about the xdg mailing list