Update on progress [PATCH]

Hans Meine hans_meine at gmx.net
Tue Mar 3 09:32:19 GMT 2009

On Saturday 21 February 2009 20:14:31 Michael Pyne wrote:
> On Saturday 21 February 2009, John Tapsell wrote:
> > In the screenshot, the text service 'mileage tracker' comes from the
> > untrusted .desktop file itself right?  So couldn't the malicious
> > .desktop file put any service name?  Such as "system.  This is a vital
> > service - so you must click continue or risk breaking your system."
> Yes.  Hmm, every part of the .desktop file is untrusted, including the
> filename.  I wonder what makes sense to put instead, if anything.  I'd
> rather not leave the dialog completely devoid of a clue as to what the
> service is. (We will have the Exec= line once I get the Details button to
> work)

How about proper "quoting" then?  I.e. explicitly state:

  You are about to run a service not marked as executable program.
  The service identifies itself as:

     mileage tracker

  This could be ...

(The indented part could be in a different color / group box / ... such that 
it is more apparent if the .desktop file tries to spoof a dialog box text.)


More information about the kde-core-devel mailing list