Security issue with .desktop files revisited
Bastian, Waldo
waldo.bastian at intel.com
Wed Apr 12 01:58:25 EEST 2006
>Better yet, let's not encourage people to turn .desktop files into
>scripts. As has been expressed MANY times in this thread, requiring +x
>and a special tool that doesn't evaluate Exec any differently thatn we
>are currently evaluating Exec, doesn't solve the problem. It is very
>easy to ship a .desktop file to someone that is already +x.
>
>We need to fix the evaluation semantics of Exec, not write a bunch of
>easily-avoidable workarounds.
I fail to understand how changing the evaluation semantics of Exec are
going to help with any of the mentined problems. Are you proposing some
sort of heuristic to decide on "safe" and "unsafe" commands in a
.desktop file?
Cheers,
Waldo
More information about the xdg
mailing list