Security issue with .desktop files revisited
mike at plan99.net
Tue Mar 28 19:02:32 EEST 2006
Francois Gouget wrote:
> Right. So now tools like wget (and shells, see below) have to know
> about KDE/Gnome internal concepts like desktop files! And you
> criticize Windows design?
Not really, anything is better than nothing - does Firefox set the
"unsafe" EA on Windows? I don't know but I doubt it, yet it's no real
problem. The hint can be added in future. So wget doesn't "have" to
know, it could know, if people wanted that, but then from the command
line you can always see what a file really is - and the problem that
started this thread off is that KDE and GNOME can represent a .desktop
file as pretty much any kind of file (jpeg, ms word doc, whatever).
> It's not just unintuitive, it's dangerous and unsecure too. By
> dictating that tools that download file must mark .desktop files as
> executable you have just removed the one thing that prevents nasty
> .desktop files like the one you mentioned from being executed on the
> command line!
You can't execute .desktop files even if they are marked as +x from the
command line, as there is no binfmt handler for them.
More information about the xdg