[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security Issue of .desktop files

Em Ter, 2009-02-24 às 19:53 +0100, Yves-Alexis Perez escreveu:
> On mar, 2009-02-24 at 15:21 -0300, Daniel Ruoso wrote:
> > Last week, an old security issue in desktop environments went through a
> > widely public discussion (including on slashdot)[1][2]. As I said, this
> > issue is not new[3], but there seem to be no action on the upstream to
> > fix it.
> In Xfce this discussion arised at some time, and Thunar/xfdesktop will
> refuse to run “unsafe” .desktop files and present them with the mimetype
> x-thunar/suspected-malware.

I'm sorry, but that only address one half of the problem, which nautilus
in Debian also address. But it doesn't prevent desktop files that look
just right to be invoked directly after they are downloaded from a web
browser.

The issue here is about recognizing that .desktop files are executables,
and, as such, must have the x bit set in order to be executed. Consider
the user downloading a file from iceweasel, that sends it directly to
the Desktop. In a single step, the file is available with whatever
appearence it desires to and being able to execute whatever it wants to.

daniel
Reply to: