[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-core-devel
Subject:    Re: requiring .desktop files to be executable ?
From:       David Faure <faure () kde ! org>
Date:       2009-02-13 10:56:32
Message-ID: 200902131156.33778.faure () kde ! org
[Download RAW message or body]

On Wednesday 11 February 2009, Alexander Neundorf wrote:
> Hi,
> 
> here's an article and comments about potential security problems 
> with "executing" .desktop files although they are not executable:
> http://lwn.net/Articles/318755/
> 
> Should we do something about it ?

Yes, I think so.

Re-reading the 2006 xorg discussion about it:
http://archive.netbsd.se/?ml=xorg-xdg&a=2006-03&t=2724527

it seems to me that the KDE developers involved in the discussion
were in favour of requiring +x for desktop files, but Rodney Dawes
(gnome) was not...

Kevin Ottens and I had the idea of doing this slightly differently btw:
we could require +x when the desktop file is not in a standard
directory for desktop files. This would allow to catch "save this file
in your home or on your desktop" without breaking all the desktop files
already distributed with applications.

-- 
David Faure, faure@kde.org, sponsored by Qt Software @ Nokia to work on KDE,
Konqueror (http://www.konqueror.org), and KOffice (http://www.koffice.org).
[prev in list] [next in list] [prev in thread] [next in thread]