[Thunar-dev] Security issue with .desktop files in Thunar

Benedikt Meurer benedikt.meurer at unix-ag.uni-siegen.de
Wed Apr 12 00:23:14 CEST 2006


Jaap Karssenberg wrote:
>>This issue is currently being discussed on the xdg mailing list.
> 
> Ok, didn't know that - was just playing around with desktop entry files :)
> 
> It may be noted that thunar's behavior is worse than that of other file 
> managers. Rox and Konqueror at least leave the filename intact and 
> Nautilus even has a special icon for desktop files.

Nautilus uses the icon specified in the .desktop file (your example
desktop file doesn't contain a valid Icon value, that may be the reason
why you don't see the icon). Konquerors behavior is inconsistent, i.e.
kdesktop displays the name of the .desktop file while file manager
windows display the file name (IIRC), so as attacker just make sure to
place the file on the desktop and voila (which is even worse, since the
desktop is the default download location for files in several browsers).
ROX, dunno, displays a binary icon for the file, but still executes it
properly, some people might call that secure... read the XDG threads.

But for your example, there's indeed an easy way to improve Thunars
security there.

> Anyway I'll read on xdg what the consensus is.

There's no consensus yet.

> -- Jaap Karssenberg <pardus at cpan.org>

Benedikt



More information about the Thunar-dev mailing list