Xfce Forum

Sub domains
 

You are not logged in.

#1 2018-04-15 10:17:04

jkqmehix
Member
Registered: 2018-04-15
Posts: 1

Thunar automatically interprets ".desktop" files

Although Thunar requires the +x flag to interpret and execute ".desktop" files, I still consider it as an undesirable behaviour. If I extract such files from an archive downloaded from the Internet, they can have the +x flag set and will be interpteted automatically. Or other untrusted user on the same machine can create such file in his home directory, which I can browse as root.

For example, this file automatically changes its name to "image.png" and sets a preview. One could easily take it for an image and double click it executing a malicious script.

Some other file managers suffer from the same issue, including Nemo and the worst case PCManFM, which doesn't even require the +x flag and ".desktop" extension. Dolphin on the other hand works as expected, it doesn't allow files to change their names and always asks to execute.

Offline

#2 2018-04-15 14:05:24

ToZ
Moderator
From: Canada
Registered: 2011-06-02
Posts: 4,861

Re: Thunar automatically interprets ".desktop" files

Hello and welcome.

jkqmehix wrote:

Although Thunar requires the +x flag to interpret and execute ".desktop" files, I still consider it as an undesirable behaviour.

In that case, probably best to open a bug report to get the developer's attention.

Offline

Board footer

Powered by FluxBB