Security issue with .desktop files revisited

Ludwig Nussel ludwig.nussel at
Tue Mar 28 18:28:57 EEST 2006

On Thursday 23 March 2006 14:13, Mike Hearn wrote:
> A while ago it was discussed how .desktop files made us vulnerable to the
> same problems Windows and OS X have had with executable files pretending
> to be data files.  At the time nothing was done, as it was a theoretical
> possibility. One enterprising hacker (Peter Lund) has now managed to make
> a .desktop file which is simultaneously a valid shell script, in other
> words, you can put any code you like in it and it'll run without any
> network access. Such a .desktop file can appear to be anything you want
> such as a JPEG image.

I wonder why desktop files get 'executed' at all. Only the programs
that display the desktop and the menu need to run what's described
in a desktop file. For everything else the default action could be
just like the one for text/plain, ie launch an editor.


 (o_   Ludwig Nussel
 //\   SUSE LINUX Products GmbH, Development

More information about the xdg mailing list