On Wednesday 11 February 2009, Alexander Neundorf wrote:
> Hi,
> 
> here's an article and comments about potential security problems 
> with "executing" .desktop files although they are not executable:
> http://lwn.net/Articles/318755/
> 
> Should we do something about it ?

Yes, I think so.

Re-reading the 2006 xorg discussion about it:
http://archive.netbsd.se/?ml=xorg-xdg&a=2006-03&t=2724527

it seems to me that the KDE developers involved in the discussion
were in favour of requiring +x for desktop files, but Rodney Dawes
(gnome) was not...

Kevin Ottens and I had the idea of doing this slightly differently btw:
we could require +x when the desktop file is not in a standard
directory for desktop files. This would allow to catch "save this file
in your home or on your desktop" without breaking all the desktop files
already distributed with applications.

-- 
David Faure, faure@kde.org, sponsored by Qt Software @ Nokia to work on KDE,
Konqueror (http://www.konqueror.org), and KOffice (http://www.koffice.org).