Security issue with .desktop files revisited
Francois Gouget
fgouget at codeweavers.com
Tue Mar 28 18:38:22 EEST 2006
Mike Hearn wrote:
[...]
>> Surely, requiring that web browsers and email tools make all the files
>> they save executable cannot be good for security...
>
> Only .desktop files, and right now +x on such a file is meaningless anyway.
Right. So now tools like wget (and shells, see below) have to know about
KDE/Gnome internal concepts like desktop files! And you criticize
Windows design?
>> Which is kind of the opposite of its normal meaning which can be taken
>> to be 'I trust this file enough that I am willing to execute it'.
>>
> Yes, it's unintuitive to reverse the meaning like that,
It's not just unintuitive, it's dangerous and unsecure too. By dictating
that tools that download file must mark .desktop files as executable you
have just removed the one thing that prevents nasty .desktop files like
the one you mentioned from being executed on the command line!
Unless you now want to mandate that bash, zsh, dash and all other shells
must also make an exception for .desktop files! As they say 'this way
lies insanity'.
--
Francois Gouget
fgouget at codeweavers.com
More information about the xdg
mailing list