.desktop files, serious security hole, virus-friendliness

Mark Seaborn mrs at mythic-beasts.com
Tue Apr 4 22:03:14 EEST 2006


One problem with using the executable bit on .desktop files is that
the executable bit could become set without any special action by the
user.

For example, a tar file can contain a .desktop file with its
executable bit set.  tar will honour this bit when it unpacks the
archive.  (If it didn't, it wouldn't be very useful.)

A user might receive a tar file as an attachment, open it (presumably
causing it to be unpacked to a temporary directory), double-click the
.desktop file -- and thereby give an untrusted program access to their
whole user account without warning.

Mark



More information about the xdg mailing list