.desktop files, serious security hole, virus-friendliness
Mark Seaborn
mrs at mythic-beasts.com
Tue Apr 4 22:03:14 EEST 2006
One problem with using the executable bit on .desktop files is that
the executable bit could become set without any special action by the
user.
For example, a tar file can contain a .desktop file with its
executable bit set. tar will honour this bit when it unpacks the
archive. (If it didn't, it wouldn't be very useful.)
A user might receive a tar file as an attachment, open it (presumably
causing it to be unpacked to a temporary directory), double-click the
.desktop file -- and thereby give an untrusted program access to their
whole user account without warning.
Mark
More information about the xdg
mailing list