.desktop file security
John Tapsell
johnflux at gmail.com
Tue Feb 24 17:52:39 PST 2009
.
2009/2/25 Michael Pyne <mpyne at purinchu.net>:
> On Tuesday 24 February 2009, Patryk Zawadzki wrote:
>> Also using extended filesystem attributes (or some other metadata
>> storage) gives you the additional protection from "downloaded a
>> tarball / uncompressed to desktop / the file was compressed as
>> executable / now I have two computer icons" kind of scenarios.
>
> So what happens when the archive extractor actually supports xattr and now
> there is executable-with-fancy bit trojan laying in the directory?
Not to mention all the other crazy stuff that you can do with an archive.
You can create a file full of zeros, so that the .tar.gz is only a few
KB big, but when unpacked it's terabytes large and try to ruin the
users machine that way.
Or make the unpacked file small, but have holes in it so that when
it's read it's terabytes large.
(mpyne - a reason I liked your idea to not use readAll)
John
>
> Regards,
> - Michael Pyne
> _______________________________________________
> xdg mailing list
> xdg at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/xdg
>
>
More information about the xdg
mailing list