requiring .desktop files to be executable ?
Alexander Neundorf
neundorf at kde.org
Fri Feb 13 11:08:36 GMT 2009
On Friday 13 February 2009, David Faure wrote:
> On Wednesday 11 February 2009, Alexander Neundorf wrote:
> > Hi,
> >
> > here's an article and comments about potential security problems
> > with "executing" .desktop files although they are not executable:
> > http://lwn.net/Articles/318755/
> >
> > Should we do something about it ?
>
> Yes, I think so.
>
> Re-reading the 2006 xorg discussion about it:
> http://archive.netbsd.se/?ml=xorg-xdg&a=2006-03&t=2724527
>
> it seems to me that the KDE developers involved in the discussion
> were in favour of requiring +x for desktop files, but Rodney Dawes
> (gnome) was not...
>
> Kevin Ottens and I had the idea of doing this slightly differently btw:
> we could require +x when the desktop file is not in a standard
> directory for desktop files. This would allow to catch "save this file
> in your home or on your desktop" without breaking all the desktop files
> already distributed with applications.
Then they could also have e.g. #!/usr/bin/env xdg-open or something as their
first line, right ?
Alex
More information about the kde-core-devel
mailing list