Security issue with .desktop files revisited
mike at plan99.net
Tue Mar 28 20:16:22 EEST 2006
Francois Gouget wrote:
> At least Windows does not require Firefox to know about .lnk, .cmd and
> .pif files.
No, and a marking scheme doesn't _require_ anything to be updated. It's
a nice-to-have-but-not-essential feature.
> First, who said that worm writers are not allowed to call their ELF
> creations 'myworm.desktop'?
They can call an ELF file whatever they like, but such a file will be
represented by the desktop environment as a program and not anything
else, so it's not an issue.
To reiterate, the security problem here is that something which is a
program can make itself look like a document by using a .desktop file.
Some modification to the spec or additional metadata can be used to give
hints to the user that all is not what it seems, and the +x bit is being
suggested only because EA support is not fully baked yet. The fact that
+x bits have some other meaning for shell scripts and ELF files isn't
related ..... the .desktop file that is also a shell script will be
treated as a .desktop file by the desktop environment as that's what it
will match on using the MIME sniffers (and if it doesn't then the file
will be represented as a program so there is no problem).
More information about the xdg