Security issue with .desktop files revisited

Thomas Leonard tal at
Mon Apr 10 23:26:42 EEST 2006

On Mon, 10 Apr 2006 04:58:28 -0700, Sam Watkins wrote:

> Waldo Bastian wrote:
>> I think it's a sane idea to require +x on .desktop files in order for a file 
>> browser or "Desktop" to execute the .desktop file. It shouldn't be too much 
>> of a problem to add a #!/usr/bin/xdg-open line to the format either, although 
>> it my take a while before applications actually start to add that.
> Thank-you very much for the encouragement Waldo :)
> I'll have a go at implementing my proposal soon, God willing.
> If anyone knows of particular bits of gnome, kde and xfce that are
> responsible for executing, creating and editing .desktop files,
> would you please let me know to save me having to hunt around?
> Also do you know of any other environments, utilities, etc. out there
> that use, create or manipulate .desktop files?  Maybe there's a list
> somewhere?

Well, in ROX-Filer diritem.c, delete this:

	else if (item->mime_type == application_x_desktop)
		item->flags |= ITEM_FLAG_EXEC_FILE;

But, I doubt you'll have much success getting patches applied until
*after* .desktop files come with +x by default ;-)

Dr Thomas Leonard
GPG: 9242 9807 C985 3C07 44A6  8B9A AE07 8280 59A5 3CC1

More information about the xdg mailing list