| |||||||||||||
|
| |||||||||||||
Follow up: How to write a Linux virusFollow up: How to write a Linux virusPosted Feb 13, 2009 9:46 UTC (Fri) by Tuxie (guest, #47191)In reply to: Follow up: How to write a Linux virus by roblucid Parent article: Follow up: How to write a Linux virus
But HTML, PostScript, PDF and media files are content files.
.desktop files should really be treated as scripts because that's exactly what they are. There is no reason at all why someone would ever need to download a .desktop file and doubleclick it.
If such a need comes up though, just wrap it in a .tar.gz and let the user unpack it first, or require the user to right click the file -> properties -> make executable.
(Log in to post comments)
Follow up: How to write a Linux virus Posted Feb 13, 2009 12:55 UTC (Fri) by roblucid (subscriber, #48964) [Link]
> But HTML, PostScript, PDF and media files are content files.
> .desktop files should really be treated as scripts because that's exactly what they are.
Do I need this feature at all? Sounds like something I would prefer totally disabled. If the DE is allowing scripts to masquerade as content, then it's a bug, and if the DE relies on arbitary code execution scripts to function it appears to me to be poor design.
The problem is, how do you avoid content file formats being extended, with facilities like scripting?
Relying on user's not being gullible to avoid giving execute permission, is of limited value. The real problem goes deeper, hence the discussion of sand-boxing.
The data is tainted, the way to untaint it is via validation by trusted code.
|
|
||||||||||||