Re: .desktop arbitrary program execution
Quoting David Mandelberg (mandelbergd@eth0.is-a-geek.org):
> You also asked a question about something I didn't say (I said that
> the person had to open it).
Actually, no, you didn't. (Presumably you intended to, though.)
Your question spoke of "opening" a particularly-named attachment: You
left unstated who or what was supposed to be doing the opening. Since
this was in the context of MUAs, I inferred that you meant the MUA doing
it -- that being a standard application-security problem.
Specifically, you said:
> Do you mean to say that opening "message.txt\t\t\t.desktop" which
> happens to be a freedesktop.org compliant launcher for the program "rm
> -rf $HOME" is safe because it's designed for people running one of the
> F/OSS products GNOME or KDE on a F/OSS OS?
Since (it turns out) you meant people _manually_ shooting themselves in
the foot, that is indeed a different scenario from what I thought you
meant.
So, I'm sorry for inadvertantly stepping on your scenario, but it was an
honest and straightforward interpretation of what you said.
Reply to: