Security issue with .desktop files revisited

Aaron J. Seigo aseigo at
Thu Mar 23 18:05:32 EET 2006

On Thursday 23 March 2006 06:13, Mike Hearn wrote:
> possibility. One enterprising hacker (Peter Lund) has now managed to make
> a .desktop file which is simultaneously a valid shell script, in other
> words, you can put any code you like in it and it'll run without any
> network access. Such a .desktop file can appear to be anything you want
> such as a JPEG image.

is there such an example .desktop file we can get our hands on to look at, 
test and assess the situation directly?

> At the time I suggested we change the spec so that .desktop files which
> would execute a program when clicked cannot use mime type icons. This
> would cause minimal breakage, because mime type icons are totally
> un-specified anyway right now and so very few programs actually ship them.
> There's also few legit reasons why a program would be using a MIME type
> icon as its primary icon.

what prevents a malicious .desktop file from using any of the other icons we 
ship and pretending to be something else? looking through just the 
Application icons i have on disk here, any number of them could be used to 
pretend to be a movie, an mp3, a word processing document .....

Aaron J. Seigo
GPG Fingerprint: 8B8B 2209 0C6F 7C47 B1EA  EE75 D6B7 2EB1 A7F1 DB43

Full time KDE developer sponsored by Trolltech (
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : 

More information about the xdg mailing list