Security issue with .desktop files revisited

Mike Hearn mike at
Tue Mar 28 19:02:32 EEST 2006

Francois Gouget wrote:
> Right. So now tools like wget (and shells, see below) have to know 
> about KDE/Gnome internal concepts like desktop files! And you 
> criticize Windows design?
Not really, anything is better than nothing - does Firefox set the 
"unsafe" EA on Windows? I don't know but I doubt it, yet it's no real 
problem. The hint can be added in future. So wget doesn't "have" to 
know, it could know, if people wanted that, but then from the command 
line you can always see what a file really is - and the problem that 
started this thread off is that KDE and GNOME can represent a .desktop 
file as pretty much any kind of file (jpeg, ms word doc, whatever).
> It's not just unintuitive, it's dangerous and unsecure too. By 
> dictating that tools that download file must mark .desktop files as 
> executable you have just removed the one thing that prevents nasty 
> .desktop files like the one you mentioned from being executed on the 
> command line!
You can't execute .desktop files even if they are marked as +x from the 
command line, as there is no binfmt handler for them.

thanks -mike

More information about the xdg mailing list