Security issue with .desktop files revisited

Francois Gouget fgouget at
Tue Mar 28 18:38:22 EEST 2006

Mike Hearn wrote:
>> Surely, requiring that web browsers and email tools make all the files 
>> they save executable cannot be good for security...
> Only .desktop files, and right now +x on such a file is meaningless anyway.

Right. So now tools like wget (and shells, see below) have to know about 
KDE/Gnome internal concepts like desktop files! And you criticize 
Windows design?

>> Which is kind of the opposite of its normal meaning which can be taken 
>> to be 'I trust this file enough that I am willing to execute it'.
> Yes, it's unintuitive to reverse the meaning like that,

It's not just unintuitive, it's dangerous and unsecure too. By dictating 
that tools that download file must mark .desktop files as executable you 
have just removed the one thing that prevents nasty .desktop files like 
the one you mentioned from being executed on the command line!

Unless you now want to mandate that bash, zsh, dash and all other shells 
must also make an exception for .desktop files! As they say 'this way 
lies insanity'.

Francois Gouget
fgouget at

More information about the xdg mailing list