Trusted vs Unstrusted MIME types

Patryk Zawadzki patrys at pld-linux.org
Wed Jul 11 03:35:39 PDT 2007 

Ok, I believe I might be on the right track with a new scheme. Instead
of adding yet another line to the .desktop file, we might need another
hint for MIME types. One that says "this might be harmful as it
contains evaluated data."

If the hint is not set, everything works as it did before. If it is
set however we could alter the MIME type.

Let's suppose application/foo is an office format that can contain
macros and thus is marked as possibly unsafe. Now the desktop's VFS or
any part of the application that is looking for possible launchers
could alter this type to application/x-untrusted-foo. This is an
allowed extension and is easily reversible by removing the
x-untrusted- prefix.

Now let's suppose openfoo is an application that deals with
application/foo type of files. It could easily ship two .desktop
files. First:

Name=openfoo
Exec=openfoo %U
MimeType=application/foo;

And second:

Name=openfoo (safe mode)
Exec=openfoo --quarantine %U
MimeType=application/foo;application/x-untrusted-foo;

Now if the file originates from an unknown source, the user is only
presented with the second launcher which could result in the file
being opened with the macros omitted.

The application could also present a Firefox- or Thunderburd-like bar
on top saying that due to possible security issues, the macros were
not loaded and the file is in read-only mode and a button to reload
the file in a normal way for someone who is sure. This is not our job
but would be a welcome enhancement from the application's side.

Please note that there are no dialogs involved and nowhere does it
allow for "don't ask me again" type of option. This already works fine
for mail clients (both gmail and thunderbird ignore links to external
images and people learned that it's to their advantage).

Now let's say that image/bar was considered unsafe because of some
possible issues.

Let's say gnubar is an image viewer and was hardened to make sure it
deals with unsafe data properly. It could ship just one .desktop file:

Name=Image Viewer
Exec=gnubar %U
MimeType=image/bar;image/x-untrusted-bar;

And all works as expected. There are no false positives and no false negatives.

And that's my proposition.

Now to extend it even further we could add another "trusted" property
to each removable media. Then we could ask HAL if a mounted volume is
considered trusted (matching by GUUID) and if not add the same level
of security to data that originates from there (maybe displaying a
small shield emblem on the volume's icon as well) and let users mark
certain media as trusted (with a big fat warning that they should not
do share the drive with anyone who they do not trust).

What do you say? I actually dreamed of this solution and it may be
completely bogus like the rest of things I think of while being asleep
but it certainly convinced me send it here :)

-- 
Patryk Zawadzki
Generated Content

More information about the xdg mailing list