Security issue with .desktop files revisited

Rodney Dawes dobey at novell.com
Tue Apr 11 20:01:15 EEST 2006


Better yet, let's not encourage people to turn .desktop files into
scripts. As has been expressed MANY times in this thread, requiring +x
and a special tool that doesn't evaluate Exec any differently thatn we
are currently evaluating Exec, doesn't solve the problem. It is very
easy to ship a .desktop file to someone that is already +x.

We need to fix the evaluation semantics of Exec, not write a bunch of
easily-avoidable workarounds.

-- dobey


On Tue, 2006-04-11 at 17:06 +0200, Benedikt Meurer wrote:
> Bastian, Waldo wrote:
> > A viable strategy would be to start creating .desktop files with +x set
> > and a #!/usr/bin/xdg-open line now and then to wait a while before
> > environments actually start requiring it.
> 
> Please do not encourage people to hardcode /usr/bin/xdg-open. Instead,
> suggest to use #!/usr/bin/env xdg-open.
> 
> > Waldo Bastian
> 
> Benedikt





More information about the xdg mailing list