Security issue with .desktop files revisited
Ludwig Nussel
ludwig.nussel at suse.de
Tue Mar 28 18:28:57 EEST 2006
On Thursday 23 March 2006 14:13, Mike Hearn wrote:
> A while ago it was discussed how .desktop files made us vulnerable to the
> same problems Windows and OS X have had with executable files pretending
> to be data files. At the time nothing was done, as it was a theoretical
> possibility. One enterprising hacker (Peter Lund) has now managed to make
> a .desktop file which is simultaneously a valid shell script, in other
> words, you can put any code you like in it and it'll run without any
> network access. Such a .desktop file can appear to be anything you want
> such as a JPEG image.
I wonder why desktop files get 'executed' at all. Only the programs
that display the desktop and the menu need to run what's described
in a desktop file. For everything else the default action could be
just like the one for text/plain, ie launch an editor.
cu
Ludwig
--
(o_ Ludwig Nussel
//\ SUSE LINUX Products GmbH, Development
V_/_ http://www.suse.de/
More information about the xdg
mailing list