Xfce Forum

Sub domains
 

You are not logged in.

#1 2018-04-15 10:17:04

jkqmehix
Member
Registered: 2018-04-15
Posts: 1

Thunar automatically interprets ".desktop" files

Although Thunar requires the +x flag to interpret and execute ".desktop" files, I still consider it as an undesirable behaviour. If I extract such files from an archive downloaded from the Internet, they can have the +x flag set and will be interpteted automatically. Or other untrusted user on the same machine can create such file in his home directory, which I can browse as root.

For example, this file automatically changes its name to "image.png" and sets a preview. One could easily take it for an image and double click it executing a malicious script.

Some other file managers suffer from the same issue, including Nemo and the worst case PCManFM, which doesn't even require the +x flag and ".desktop" extension. Dolphin on the other hand works as expected, it doesn't allow files to change their names and always asks to execute.

Offline

#2 2018-04-15 14:05:24

ToZ
Administrator
From: Canada
Registered: 2011-06-02
Posts: 10,949

Re: Thunar automatically interprets ".desktop" files

Hello and welcome.

jkqmehix wrote:

Although Thunar requires the +x flag to interpret and execute ".desktop" files, I still consider it as an undesirable behaviour.

In that case, probably best to open a bug report to get the developer's attention.


Please remember to mark your thread [SOLVED] to make it easier for others to find
--- How To Ask For Help | FAQ | Developer Wiki  |  Community | Contribute ---

Online

Board footer

Powered by FluxBB