Em Ter, 2009-02-24 às 19:53 +0100, Yves-Alexis Perez escreveu: > On mar, 2009-02-24 at 15:21 -0300, Daniel Ruoso wrote: > > Last week, an old security issue in desktop environments went through a > > widely public discussion (including on slashdot)[1][2]. As I said, this > > issue is not new[3], but there seem to be no action on the upstream to > > fix it. > In Xfce this discussion arised at some time, and Thunar/xfdesktop will > refuse to run “unsafe” .desktop files and present them with the mimetype > x-thunar/suspected-malware.
I'm sorry, but that only address one half of the problem, which nautilus in Debian also address. But it doesn't prevent desktop files that look just right to be invoked directly after they are downloaded from a web browser. The issue here is about recognizing that .desktop files are executables, and, as such, must have the x bit set in order to be executed. Consider the user downloading a file from iceweasel, that sends it directly to the Desktop. In a single step, the file is available with whatever appearence it desires to and being able to execute whatever it wants to. daniel -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
