Benedikt Meurer píše v Čt 25. 01. 2007 v 10:44 +0100: > Stanislav Brabec wrote: > > We just got a new bug report. After playing with it, I believe that it > > is a security problem. I am attaching a file, which is not supposed to > > be displayed as image, but it is (you need gnome-desktop package to see > > the icon). > > > > It's enough to save this file to any directory and you execute anything. > > Note, that the file name is "apple.jpg ". > > > > https://bugzilla.novell.com/show_bug.cgi?id=238503 > > > > Proposed fix: > > Better .desktop file detection in shared-mime-info (e. g. remove magic). > > Hm, I would suggest to fix gnome-vfs instead. For example, the Xfce file > manager identifies this file as possible malware.
I guess that gnome-vfs has no problem, but the problem is too vague definition of application/x-desktop in shared-mime-info. If you rename this file to "apple.jpg", nautilus will correctly evaluate MIME type conflict and will not open it. But because pattern "*.jpg " has no MIME association, shared-mime-info offers no warning, that file which conforms defined magic but does not have name in form "*.desktop" is suspicious. glob pattern and magic in shared mime info mean: Recognize MIME type, if file has suffix OR file conforms magic. In this case, we need AND (or remove magic at all). -- Best Regards / S pozdravem, Stanislav Brabec software developer --------------------------------------------------------------------- SUSE LINUX, s. r. o. e-mail: [EMAIL PROTECTED] Lihovarská 1060/12 tel: +420 284 028 966 190 00 Praha 9 fax: +420 284 028 951 Czech Republic http://www.suse.cz/ _______________________________________________ xdg mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/xdg
