Bug#515104: Bug in the upstream
Daniel Ruoso
daniel at ruoso.com
Thu Feb 19 15:09:33 UTC 2009
I've posted this bug in the gnome bugzilla.
http://bugzilla.gnome.org/show_bug.cgi?id=572203
I should note that iceweasel saves downloaded files in the Desktop by
default (without much notice), evolution seems to remember the last path
you used (which might be Desktop).
In summary, there are many possible ways for a file get into the
desktop, should we consider that every application that might copy soem
file from any external resource into the user directory (Desktop is more
serious, but a .desktop in an inner directory might be as effective,
even if takes more time for it to happen.
I insist that this kind of policy is as fragile as all the solutions
that were tried in the Windows world and simply failed because, in the
end, a file that was downloaded from the internet can be excuted in the
moment it is inside the computer.
The most correct solution is to use the x bit, because no file that came
from an external resource usually comes with the x bit set, and then
yes, we can consider *that* to be a security issue.
I also insist that the .desktop file *is* an executable. Ask yourself:
would it be sane for a perl script to be executed if it didn't have the
x bit set (when accessing the script from nautilus, that is)?
In the end, I really think we need to face that this was a bad
design/implementation decision and fix it, facing the costs of the
migration.
daniel
More information about the pkg-gnome-maintainers
mailing list