'Re: Update on progress [PATCH]'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-core-devel
Subject:    Re: Update on progress [PATCH]
From:       Michael Pyne <mpyne () purinchu ! net>
Date:       2009-02-21 19:14:31
Message-ID: 200902211414.32600.mpyne () purinchu ! net
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


On Saturday 21 February 2009, John Tapsell wrote:
> In the screenshot, the text service 'mileage tracker' comes from the
> untrusted .desktop file itself right?  So couldn't the malicious
> .desktop file put any service name?  Such as "system.  This is a vital
> service - so you must click continue or risk breaking your system."

Yes.  Hmm, every part of the .desktop file is untrusted, including the 
filename.  I wonder what makes sense to put instead, if anything.  I'd rather 
not leave the dialog completely devoid of a clue as to what the service is.  
(We will have the Exec= line once I get the Details button to work)

Regards,
 - Michael Pyne

[Attachment #5 (text/html)]

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN" \
"http://www.w3.org/TR/REC-html40/strict.dtd"><html><head><meta name="qrichtext" \
content="1" /><style type="text/css">p, li { white-space: pre-wrap; \
}</style></head><body style=" font-family:'Droid Sans Mono'; font-size:10pt; \
font-weight:400; font-style:normal;">On Saturday 21 February 2009, John Tapsell \
wrote:<br> &gt; In the screenshot, the text service 'mileage tracker' comes from \
the<br> &gt; untrusted .desktop file itself right?  So couldn't the malicious<br>
&gt; .desktop file put any service name?  Such as "system.  This is a vital<br>
&gt; service - so you must click continue or risk breaking your system."<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; \
margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; \
-qt-user-state:0;"><br></p>Yes.  Hmm, every part of the .desktop file is untrusted, \
including the filename.  I wonder what makes sense to put instead, if anything.  I'd \
rather not leave the dialog completely devoid of a clue as to what the service is.  \
(We will have the Exec= line once I get the Details button to work)<br> <p \
style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; \
margin-right:0px; -qt-block-indent:0; text-indent:0px; \
                -qt-user-state:0;"><br></p>Regards,<br>
 - Michael Pyne</p></body></html>


["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic