Re: Security Issue of .desktop files
On Tue, 24 Feb 09 17:36, Daniel Ruoso wrote:
> Em Ter, 2009-02-24 às 20:49 +0100, Emilio Pozuelo Monfort escreveu:
> > Daniel Ruoso wrote:
> > > Em Ter, 2009-02-24 às 19:35 +0100, Josselin Mouette escreveu:
> > >> Le mardi 24 février 2009 à 15:21 -0300, Daniel Ruoso a écrit :
> > >>> Last week, an old security issue in desktop environments went through a
> > >>> widely public discussion (including on slashdot)[1][2]. As I said, this
> > >>> issue is not new[3], but there seem to be no action on the upstream to
> > >>> fix it.
> > >> On the contrary, there is action upstream to fix it, and Nautilus 2.26
> > >> will only launch “safe” .desktop files.
> > > and what are "safe" .desktop files?
> > See this mail and its followups:
> > http://mail.gnome.org/archives/desktop-devel-list/2009-February/msg00132.html
>
> I'm glad to see that, it's a shame I haven't found that thread. So, for
> the record, *nautilus* is solving the .desktop files issue by:
>
> 1) Special casing files that are system-wide installed.
> 2) Requiring .desktop files to have the x bit set otherwise.
>
> I'm pretty happy with that solution (although I would prefer not having
> the "launch anyway"/"mark as trusted" box, but rather simply show the
> properties dialog for a non-executable-non-system-wide .desktop file
> (but I think that should go as an suggestion to upstream)).
FWIW the same has been implemented in KDE. There are some recent threads
in kde-core-devel if you are interested in further information.
Greetings,
Armin
Reply to: