I wonder if it would be worth proposing a change to whatever system
component handles opening files (probably something in Glib, or
xdg-utils, haven't researched that deeply yet), so that handlers cannot
be registered for certain "dangerous" file types (i.e. ELF/PE/Mach-O
executables, scripts in various languages, etc.)? The only real
downside I can see to that is the inability to text editors to
register themselves as handlers for script MIME types, and in those
instances, the editor can register itself as the handler for another
applicable, more generic MIME type (i.e. text/plain), then change its
behavior based on the more detailed MIME type of the file after it
opens it.
Applications which actually want to associate file with arbitrary code
execution
(or other potentially malicious actions), can register a wrapper :
Exec=wine-prompt %F
# Alternatively: Exec=wine --prompt-user %F
This wrapper can warn of the security implications and ask for
confirmation,
similar to how most file manager now ask for confirmation before
executing
a native executable or a .desktop file.
The .desktop format could be extended with an additional entry such as:
# bike-shed name:
Unsafe-Exec=wine %F
A caller not implementing this extension, would ignore this line and
call the
prompt wrapper.
A caller implementing this extension, could ask for confirmation itself
and then call the unsafe command.
Gabriel
