Security issue with .desktop files revisited

Mike Hearn mike at plan99.net
Thu Mar 23 15:13:05 EET 2006


A while ago it was discussed how .desktop files made us vulnerable to the
same problems Windows and OS X have had with executable files pretending
to be data files.  At the time nothing was done, as it was a theoretical
possibility. One enterprising hacker (Peter Lund) has now managed to make
a .desktop file which is simultaneously a valid shell script, in other
words, you can put any code you like in it and it'll run without any
network access. Such a .desktop file can appear to be anything you want
such as a JPEG image.

At the time I suggested we change the spec so that .desktop files which
would execute a program when clicked cannot use mime type icons. This
would cause minimal breakage, because mime type icons are totally
un-specified anyway right now and so very few programs actually ship them.
There's also few legit reasons why a program would be using a MIME type
icon as its primary icon.

Does this plan sound OK to people? 

thanks -mike




More information about the xdg mailing list