Security issue with .desktop files revisited
dave at cridland.net
Tue Mar 28 17:06:46 EEST 2006
On Tue Mar 28 13:37:41 2006, Mike Hearn wrote:
> Here's an idea - the problem with requiring an EA or +x to be set
> is it breaks backwards compatibility (it'd break Crossover/Wine for
> one ...). But what if the logic is inverted - so the absence of +x
> means a file is trusted, and web browsers or email programs set +x
> when they save a file to disk? The +x bit on a .desktop file in the
> users home dir is then treated as a "don't trust" marker. This
> doesn't break backwards compatibility and only requires that web
> browsers and email programs be patched.
There are a lot more browsers and email programs than there are
.desktop interpreters, and moreover the majority of email/browsers
are designed to be cross-platform, so getting the code in there
correctly would be more annoying.
> I'd still be happier with some solution that prevented a .desktop
> file masquerading as a JPEG file, but anything is better than
> nothing ...
I don't think that requiring +x for .desktop "activation" precludes
marking .desktop files in some special way.
You see things; and you say "Why?"
But I dream things that never were; and I say "Why not?"
- George Bernard Shaw
More information about the xdg