[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-core-devel
Subject:    Re: Update on progress [PATCH]
From:       John Tapsell <johnflux () gmail ! com>
Date:       2009-02-23 1:35:47
Message-ID: 43d8ce650902221735r1481e144sd73634ad86f2002e () mail ! gmail ! com
[Download RAW message or body]

2009/2/21 Michael Pyne <mpyne@purinchu.net>:
> On Saturday 21 February 2009, John Tapsell wrote:
>> In the screenshot, the text service 'mileage tracker' comes from the
>> untrusted .desktop file itself right? So couldn't the malicious
>> .desktop file put any service name? Such as "system. This is a vital
>> service - so you must click continue or risk breaking your system."
>
> Yes. Hmm, every part of the .desktop file is untrusted, including the
> filename. I wonder what makes sense to put instead, if anything. I'd rather
> not leave the dialog completely devoid of a clue as to what the service is.
> (We will have the Exec= line once I get the Details button to work)

True.  Maybe put the path that the file is in, and a sanitized
filename? (A-Za-z*) or somethingl.
[prev in list] [next in list] [prev in thread] [next in thread]