[Thunar-dev] Security issue with .desktop files in Thunar

Jaap Karssenberg j.g.karssenberg at student.utwente.nl
Tue Apr 11 23:36:17 CEST 2006


Attached you find a file that is a modified desktop file of an 
application of mine. This desktop file shows up as a well behaved pdf 
document in thunar (icon is pdf and the "filename" ends in .pdf !) but 
when you click it it will execute some program. Since this program can 
also be bash with some inline script as commandline argument this is 
quite bad.

I think it would be much better if the "filename" didn't show the "name" 
field from the desktop file but just something ending in .desktop .


-- Jaap Karssenberg <pardus at cpan.org>

P.S. didn't check against latest Thunar so my apologies if this is 
already fixed
-------------- next part --------------
A non-text attachment was scrubbed...
Name: zim_presentation.desktop
Type: application/x-desktop
Size: 374 bytes
Desc: not available
URL: <http://mail.xfce.org/pipermail/thunar-dev/attachments/20060411/8d7b7110/attachment.bin>

More information about the Thunar-dev mailing list