On Mon Apr 3 15:59:16 2006, Rodney Dawes wrote:
On Mon, 2006-04-03 at 15:24 +0100, Scott James Remnant wrote:
> On Mon, 2006-04-03 at 09:48 -0400, Rodney Dawes wrote:
> > > On Sun, 2006-04-02 at 22:29 -0700, Sam Watkins wrote:
> > > 1. do you agree that this is a serious security problem?
> > > > I don't think it is a serious security problem. While it
does expose
> > the ability to run shell commands from the .desktop file, it
doesn't
> > seem likely that many people will do it. I mean, Windows has had
> > shortcut files which are pretty much exactly the same as our
.desktop
> > files, and you never hear of anyone doing specific attacks like
you
> > suggest would be done. There are much more interesting ways to
do them,
> > than to have a .desktop file with an icon/label that lies about
itself.
> > > Uh, PIF file attacks were very common for a long time in
Windows.
Uhm. They weren't actually PIF files. They were executables with
the .pif extension.
Are you absolutely sure about that? Because PIF files could contain
executable code and all sorts, but weren't themselves executable
programs as such, I thought. I'm not certain about that either,
though.
The same thing was done with .scr, which Windows
uses for screensavers.
But having written a screensaver or two for Windows, I do recall that
these are definitely executables all the time. The different
extension is purely there to indicate which executables are actually
screensavers.
Dave.
--
You see things; and you say "Why?"
But I dream things that never were; and I say "Why not?"
- George Bernard Shaw
_______________________________________________
xdg mailing list
[email protected]
http://lists.freedesktop.org/mailman/listinfo/xdg
