.desktop file security

Thiago Macieira thiago at kde.org
Tue Feb 24 12:30:45 PST 2009

John Tapsell wrote:
>One potential security flaw...
>Say there is a   myfile.desktop file that already exists and is
>executable.  If a file download overwrites this, it also becomes
>executable, since overwriting a file takes on its permissions.
>Maybe a user shouldn't be so silly as to agree to overwrite the
>existing file, but is there anything we can do to prevent this?

That depends on the code that does the downloading. Overwriting could be 
implemented by delete-and-create, instead of reusing the existing file. 
This is very often the case when the partially downloaded is saved with a 
different name (KIO adds .part), so a new file is always created.

  Thiago Macieira  -  thiago (AT) macieira.info - thiago (AT) kde.org
    PGP/GPG: 0x6EF45358; fingerprint:
    E067 918B B660 DBD1 105C  966C 33F5 F005 6EF4 5358
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.freedesktop.org/archives/xdg/attachments/20090224/c87cbee7/attachment.pgp 

More information about the xdg mailing list