.desktop files and security
Posted Apr 6, 2006 3:32 UTC (Thu) by tetromino
Parent article: .desktop files and security
At first, when I read the .desktop file spec, I didn't understand how horribly insecure these things are. I mean, the Exec parameter is just the name of a program and parameters. There is no shell syntax, no substitution. How much damage can that possibly do?
And then I realized that the program can be /usr/bin/perl. And the parameters can be -e and 'ANY_ARBITRARY_PERL_SCRIPT'
So yeah, this is quite bad. I say that making .desktop files into real #! scripts with an executable bit is the way to go.
to post comments)