On Thursday 23 March 2006 06:13, Mike Hearn wrote: > possibility. One enterprising hacker (Peter Lund) has now managed to make > a .desktop file which is simultaneously a valid shell script, in other > words, you can put any code you like in it and it'll run without any > network access. Such a .desktop file can appear to be anything you want > such as a JPEG image.
is there such an example .desktop file we can get our hands on to look at, test and assess the situation directly? > At the time I suggested we change the spec so that .desktop files which > would execute a program when clicked cannot use mime type icons. This > would cause minimal breakage, because mime type icons are totally > un-specified anyway right now and so very few programs actually ship them. > There's also few legit reasons why a program would be using a MIME type > icon as its primary icon. what prevents a malicious .desktop file from using any of the other icons we ship and pretending to be something else? looking through just the Application icons i have on disk here, any number of them could be used to pretend to be a movie, an mp3, a word processing document ..... -- Aaron J. Seigo GPG Fingerprint: 8B8B 2209 0C6F 7C47 B1EA EE75 D6B7 2EB1 A7F1 DB43 Full time KDE developer sponsored by Trolltech (http://www.trolltech.com)
pgpMbbBr91DMY.pgp
Description: PGP signature
_______________________________________________ xdg mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/xdg
