Definition of command line in the Exec key

Simon McVittie smcv at collabora.com
Tue Mar 28 17:45:58 UTC 2017 

On Tue, 28 Mar 2017 at 10:51:05 +0200, Oswald Buddenhagen wrote:
> On Thu, Mar 23, 2017 at 12:24:56PM +0000, Simon McVittie wrote:
> > No, the content of Exec= is not a one-line shell script.
>
> actually, it is in a way, as you're saying yourself further down.
> and in kde, it is even in fact - the evaluator is smart enough to use an
> actual shell if the command gets too complex. but relying on that is
> obviously unportable.

If you run it in an actual shell, do you filter/reject more complex
syntax in some way, so that there's some hope that desktop files written
by KDE users will be portable to other environments?

> > If you need to use shell constructs like if...fi, ``, ${} then you
> > must invoke a shell yourself:
> > 
> >     Exec=sh -c "if foo; then bar; else baz; fi"
> > 
> this is actually horrible advice, as it is pretty much guaranteed to
> overtax the automatic quoting of expandos inside the nested command.

If by "expando" you mean "field code" in the desktop entry spec's jargon
(%f and so on), that's fine: field code expansion inside a quoted argument
is undefined behaviour according to the desktop entry spec anyway, so
implementations are not required to do something sensible when they
encounter it.

(GLib's implementation substitutes field codes (wrapped in shell-style
quoting) before doing shell-style parsing, so it is possible to get a
"garbage in, garbage out" situation.)

> if you need a compound command, ship an _actual_ script and have the
> .desktop file invoke it.

This is good advice, though. Or preferably, write your logic in something
with fewer sharp edges than shell script :-)

> i find it unfortunate that the shared
> subset which is considered valid is comparably small.

I think that's a feature more than a bug, actually: it means implementors
are allowed to avoid using an actual shell (the implementation in GLib
never does, and still isn't particularly large). "Don't ever run a shell"
is a good way to be confident that you've avoided shell injection
attacks.

    S

More information about the xdg mailing list