.desktop file security
Thiago Macieira
thiago at kde.org
Tue Feb 24 12:30:45 PST 2009
John Tapsell wrote:
>One potential security flaw...
>
>Say there is a myfile.desktop file that already exists and is
>executable. If a file download overwrites this, it also becomes
>executable, since overwriting a file takes on its permissions.
>
>Maybe a user shouldn't be so silly as to agree to overwrite the
>existing file, but is there anything we can do to prevent this?
That depends on the code that does the downloading. Overwriting could be
implemented by delete-and-create, instead of reusing the existing file.
This is very often the case when the partially downloaded is saved with a
different name (KIO adds .part), so a new file is always created.
--
Thiago Macieira - thiago (AT) macieira.info - thiago (AT) kde.org
PGP/GPG: 0x6EF45358; fingerprint:
E067 918B B660 DBD1 105C 966C 33F5 F005 6EF4 5358
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.freedesktop.org/archives/xdg/attachments/20090224/c87cbee7/attachment.pgp
More information about the xdg
mailing list