Security issue with .desktop files revisited

Mike Hearn mike at plan99.net
Fri Mar 24 14:16:33 EET 2006


On Thu, 23 Mar 2006 20:06:54 +0100, Thiago Macieira wrote:
> The possibility of embedding one format inside another while both are 
> still completely valid exists for many other formats. You can find many 
> examples out there that do that. Doing so for .desktop files is no 
> surprise.

Hm, OK. I admit this is the first time I've seen such a thing. Still it's
a good excuse to raise the issue again :)
 
> This doesn't help at all.

Right. The intention was more something like "if it links to a program
already installed on the system don't warn, otherwise do" but that
implementation is not good enough.
 
> This warning would show up for each and every .desktop file that the
> user clicked on, on the file manager and on the desktop. It would be
> really annoying to click on your mail program on your desktop and get a
> warning "you clicked on an icon that runs a program. Do you want to run
> the program?"

Only for .desktop files without the +x bit, and that would be set whenever
a desktop shortcut is created or the user says to continue (ie that it's
safe).

So yeah it's not ideal but it wouldn't pop up each time.

That said, given that most icon themes distinguish between
document-type-things that users have been trained to treat as safe and
application-type-things that users have been told are unsafe, the mime
icon change might help a bit. Other ideas don't seem to have much more
support....

thanks -mike




More information about the xdg mailing list