Security issue with .desktop files revisited

Mike Hearn mike at
Tue Mar 28 20:16:22 EEST 2006

Francois Gouget wrote:
> At least Windows does not require Firefox to know about .lnk, .cmd and 
> .pif files.
No, and a marking scheme doesn't _require_ anything to be updated. It's 
a nice-to-have-but-not-essential feature.
> First, who said that worm writers are not allowed to call their ELF 
> creations 'myworm.desktop'? 
They can call an ELF file whatever they like, but such a file will be 
represented by the desktop environment as a program and not anything 
else, so it's not an issue.

To reiterate, the security problem here is that something which is a 
program can make itself look like a document by using a .desktop file. 
Some modification to the spec or additional metadata can be used to give 
hints to the user that all is not what it seems, and the +x bit is being 
suggested only because EA support is not fully baked yet. The fact that 
+x bits have some other meaning for shell scripts and ELF files isn't 
related ..... the .desktop file that is also a shell script will be 
treated as a .desktop file by the desktop environment as that's what it 
will match on using the MIME sniffers (and if it doesn't then the file 
will be represented as a program so there is no problem).

thanks -mike

More information about the xdg mailing list