What I don't get is why we're trying to solve it only for .desktop files. It's a problem for all file types. For .desktop files, we should just make the spec more explicit on how things should get executed, and how to validate the Exec= line. Clearly we can't just check that there are arguments in the .desktop file. One of the nice things about the current spec, is that it has argument passing, so you can for example, just drag a file onto a .desktop file launcher for a program, to open the file in that program. Simply requiring +x isn't going to solve anything. It may not be preserved through straight web downloads, but gzip will preserve permissions. So you could ship malicious .desktop files, compressed with gzip, and require the user to uncompress them to use them. Or better yet, you can just have a .shar file, or autopackage script.
Can we work on coming up with a more general solution for this, rather than concentrating on .desktop files? We really need to apply a solution for the problem on a much broader scope. The current "solution" in nautilus really sucks, and won't let me even open valid files, where the extension disagrees with the data mime type discovery. Perhaps this is fixed, or at least works better with the new shared-mime-info or in the latest Nautilus, but I haven't tried much yet. Also, the dialog it produces when there is a MIME type disagreement is long and scary. We shouldn't do that unless we know for sure there is a problem. -- dobey On Tue, 2006-03-28 at 20:18 +0200, Thiago Macieira wrote: > Ludwig Nussel wrote: > >I wonder why desktop files get 'executed' at all. Only the programs > >that display the desktop and the menu need to run what's described > >in a desktop file. For everything else the default action could be > >just like the one for text/plain, ie launch an editor. > > The desktop and the file manager are usually the same backend. And if you > were to browse to ~/Desktop in your filemanager, wouldn't you want to be > able to click on your shortcuts? _______________________________________________ xdg mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/xdg
