.desktop file security

Patryk Zawadzki patrys at pld-linux.org
Tue Feb 24 10:30:32 PST 2009


On Tue, Feb 24, 2009 at 5:20 PM, Alexander Larsson <alexl at redhat.com> wrote:
> On Tue, 2009-02-24 at 16:45 +0100, Patryk Zawadzki wrote:
>> For the record: even if we requrie this specific file type to be
>> executable AND provide a binfmt launcher (please don't add the
>> xdg-open shebang, it's an ugly workaround), it still does not solve
>> much in "the big picture". It's still perfectly possible to create a
>> desktop file, mark it as executable then archive it and send it to
>> your friend (naming it pr0n.tar.gz).
> Then they could as well just zip up a normal executable and name it
> something like "porn.jpeg ". At this level of behaviour its not really
> something you can protect against.

It's much harder to pull off when you can't get the porn.jpeg file to
display a generic JPEG icon. A desktop file allows you to fake both
name and icon (also automatically translating the name according to
user's locale!).

-- 
Patryk Zawadzki


More information about the xdg mailing list