From kde-core-devel  Fri Feb 13 10:56:32 2009
From: David Faure <faure () kde ! org>
Date: Fri, 13 Feb 2009 10:56:32 +0000
To: kde-core-devel
Subject: Re: requiring .desktop files to be executable ?
Message-Id: <200902131156.33778.faure () kde ! org>
X-MARC-Message: https://marc.info/?l=kde-core-devel&m=123452264013897

On Wednesday 11 February 2009, Alexander Neundorf wrote:
> Hi,
> 
> here's an article and comments about potential security problems 
> with "executing" .desktop files although they are not executable:
> http://lwn.net/Articles/318755/
> 
> Should we do something about it ?

Yes, I think so.

Re-reading the 2006 xorg discussion about it:
http://archive.netbsd.se/?ml=xorg-xdg&a=2006-03&t=2724527

it seems to me that the KDE developers involved in the discussion
were in favour of requiring +x for desktop files, but Rodney Dawes
(gnome) was not...

Kevin Ottens and I had the idea of doing this slightly differently btw:
we could require +x when the desktop file is not in a standard
directory for desktop files. This would allow to catch "save this file
in your home or on your desktop" without breaking all the desktop files
already distributed with applications.

-- 
David Faure, faure@kde.org, sponsored by Qt Software @ Nokia to work on KDE,
Konqueror (http://www.konqueror.org), and KOffice (http://www.koffice.org).