First work on .desktop file brouhaha [PATCH]
Michael Pyne
mpyne at purinchu.net
Thu Feb 19 21:22:20 GMT 2009
On Thursday 19 February 2009, John Tapsell wrote:
> 2009/2/19 Michael Pyne:
> > * If still not, could the user create the file? If not allow it.
>
> Maybe allow only if the user can't write to it _and_ it's owned by
> root? I can't think of a problem with your way, but.. I feel a bit
> uneasy. Taking _away_ write permissions shouldn't suddenly allow the
> desktop file to be executed.
Why not, adding execute permissions does. :P
At least the idea so far from my point of view is that we want to make sure
that simply saving a .desktop file doesn't result in a trojan that you can
execute with one click, so we require it to be executable. Removing the write
bit or adding the executable bit is still just one permission modification
needed to allow a trojan .desktop file to execute.
> Just as a minor point:
> requestResult.error = i18n("Service '%1' is malformatted.",
> service->entryPath());
> + if (service->isValid())
> + requestResult.error = i18n("Service '%1' must be executable to
> run.", service->entryPath());
>
> Could you make this an if-else instead, just to save setting error
> and then changing it. Save one i18n lookup :-)
Sure, I've been trying to minimize branches in code for awhile now but here it
is worth it to be sure not to use the extra i18n().
Regards,
- Michael Pyne
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20090219/6e936422/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20090219/6e936422/attachment.sig>
More information about the kde-core-devel
mailing list