Security issue with .desktop files revisited

Bastian, Waldo waldo.bastian at
Tue Apr 11 03:34:30 EEST 2006

A viable strategy would be to start creating .desktop files with +x set
and a #!/usr/bin/xdg-open line now and then to wait a while before
environments actually start requiring it. In the meantime there could be
some config setting that people/distributions can use to enable it
before that time.

Waldo Bastian
Linux Client Architect - Client Linux Foundation Technology
Channel Platform Solutions Group
Intel Corporation -
OSDL DTL Tech Board Chairman

>-----Original Message-----
>From: xdg-bounces at [mailto:xdg-
>bounces at] On Behalf Of Thomas Leonard
>Sent: Monday, April 10, 2006 1:27 PM
>To: xdg at
>Subject: Re: Security issue with .desktop files revisited
>On Mon, 10 Apr 2006 04:58:28 -0700, Sam Watkins wrote:
>> Waldo Bastian wrote:
>>> I think it's a sane idea to require +x on .desktop files in order
for a
>>> browser or "Desktop" to execute the .desktop file. It shouldn't be
>>> of a problem to add a #!/usr/bin/xdg-open line to the format either,
>>> it my take a while before applications actually start to add that.
>> Thank-you very much for the encouragement Waldo :)
>> I'll have a go at implementing my proposal soon, God willing.
>> If anyone knows of particular bits of gnome, kde and xfce that are
>> responsible for executing, creating and editing .desktop files,
>> would you please let me know to save me having to hunt around?
>> Also do you know of any other environments, utilities, etc. out there
>> that use, create or manipulate .desktop files?  Maybe there's a list
>> somewhere?
>Well, in ROX-Filer diritem.c, delete this:
>	else if (item->mime_type == application_x_desktop)
>	{
>		item->flags |= ITEM_FLAG_EXEC_FILE;
>	}
>But, I doubt you'll have much success getting patches applied until
>*after* .desktop files come with +x by default ;-)
>Dr Thomas Leonard
>GPG: 9242 9807 C985 3C07 44A6  8B9A AE07 8280 59A5 3CC1
>xdg mailing list
>xdg at

More information about the xdg mailing list