First off, you apparently missed the whole thread about this, which was started on March 23. You might want to look at the archives and read through it. The replies extend into April.
http://lists.freedesktop.org/archives/xdg/2006-March/007904.html On Sun, 2006-04-02 at 22:29 -0700, Sam Watkins wrote: > 1. do you agree that this is a serious security problem? I don't think it is a serious security problem. While it does expose the ability to run shell commands from the .desktop file, it doesn't seem likely that many people will do it. I mean, Windows has had shortcut files which are pretty much exactly the same as our .desktop files, and you never hear of anyone doing specific attacks like you suggest would be done. There are much more interesting ways to do them, than to have a .desktop file with an icon/label that lies about itself. > 2. do you think we should fix it? I don't think we should rely on the +x bit. The point of the +x bit, is that you can run the thing, from anywhere. Just setting it +x won't let you run it from the shell. You'd have to change the spec to specify an implementation to be an interpreter that works on the console, and that the first line of .desktop files be #!/path/to/interpreter, which may differ between systems. This would be quite bad and annoying, for the user to deal with. However, what I /do/ think we should do, is to fix the spec, and the implementations, to more clearly define and interpret the Exec field. The problem raelly is that it's fairly arbitrary in what it allows. Clarifying that to be more specific, to disallow language interpretation from the .desktop file, would help a lot more than just +x, I think. You could easily default a download to +x, simply by putting it within an archive which does preserve permission bits. The attacker could quite easily put the .desktop file in a .tar, and when the user downloads it, and opens it, they see a file in the archive utility, and then run it, and since it has the +x already, we would just run it. It doesn't seem like that is much of a solution to me. :) -- dobey _______________________________________________ xdg mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/xdg
