Update on progress [PATCH]
Hans Meine
hans_meine at gmx.net
Tue Mar 3 09:32:19 GMT 2009
On Saturday 21 February 2009 20:14:31 Michael Pyne wrote:
> On Saturday 21 February 2009, John Tapsell wrote:
> > In the screenshot, the text service 'mileage tracker' comes from the
> > untrusted .desktop file itself right? So couldn't the malicious
> > .desktop file put any service name? Such as "system. This is a vital
> > service - so you must click continue or risk breaking your system."
>
> Yes. Hmm, every part of the .desktop file is untrusted, including the
> filename. I wonder what makes sense to put instead, if anything. I'd
> rather not leave the dialog completely devoid of a clue as to what the
> service is. (We will have the Exec= line once I get the Details button to
> work)
How about proper "quoting" then? I.e. explicitly state:
You are about to run a service not marked as executable program.
The service identifies itself as:
mileage tracker
This could be ...
(The indented part could be in a different color / group box / ... such that
it is more apparent if the .desktop file tries to spoof a dialog box text.)
HTH,
Hans
More information about the kde-core-devel
mailing list