Security issue with .desktop files revisited
Aaron J. Seigo
aseigo at kde.org
Thu Mar 23 18:05:32 EET 2006
On Thursday 23 March 2006 06:13, Mike Hearn wrote:
> possibility. One enterprising hacker (Peter Lund) has now managed to make
> a .desktop file which is simultaneously a valid shell script, in other
> words, you can put any code you like in it and it'll run without any
> network access. Such a .desktop file can appear to be anything you want
> such as a JPEG image.
is there such an example .desktop file we can get our hands on to look at,
test and assess the situation directly?
> At the time I suggested we change the spec so that .desktop files which
> would execute a program when clicked cannot use mime type icons. This
> would cause minimal breakage, because mime type icons are totally
> un-specified anyway right now and so very few programs actually ship them.
> There's also few legit reasons why a program would be using a MIME type
> icon as its primary icon.
what prevents a malicious .desktop file from using any of the other icons we
ship and pretending to be something else? looking through just the
Application icons i have on disk here, any number of them could be used to
pretend to be a movie, an mp3, a word processing document .....
Aaron J. Seigo
GPG Fingerprint: 8B8B 2209 0C6F 7C47 B1EA EE75 D6B7 2EB1 A7F1 DB43
Full time KDE developer sponsored by Trolltech (http://www.trolltech.com)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: not available
Url : http://lists.freedesktop.org/archives/xdg/attachments/20060323/ca11b8a1/attachment.pgp
More information about the xdg