A while ago it was discussed how .desktop files made us vulnerable to the same problems Windows and OS X have had with executable files pretending to be data files. At the time nothing was done, as it was a theoretical possibility. One enterprising hacker (Peter Lund) has now managed to make a .desktop file which is simultaneously a valid shell script, in other words, you can put any code you like in it and it'll run without any network access. Such a .desktop file can appear to be anything you want such as a JPEG image.
At the time I suggested we change the spec so that .desktop files which would execute a program when clicked cannot use mime type icons. This would cause minimal breakage, because mime type icons are totally un-specified anyway right now and so very few programs actually ship them. There's also few legit reasons why a program would be using a MIME type icon as its primary icon. Does this plan sound OK to people? thanks -mike _______________________________________________ xdg mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/xdg
