Version: 2.1.9 (KDE 3.2.0) (using KDE KDE 3.2.0) Installed from: Debian testing/unstable Packages When opening a ZIP archive (also tested .tar.gz) which contains a shell script a duobleclick on that script yields the following warning dialog: "The file you are trying to view nay be an executable. Running untrusted executables may compromise your system's security Are you sure you want to *VIEW* that file? Yes / No" (Emphasis mine) To me this meant that if I click "Yes" I could *view* the file, not execute it and if I click "No" ark would not do anything (Cancel). But clicking on "yes" tries to execute the script, which was unexpected, and I would say the wording in the warning dialog is at least ambiguos if one does not realize that "viewing an executable" may mean "executing" it. This could be used to trick unwitting users into executing scripts, because the warning asks, if one wants to *view* the file, but then *executes* it if one clicks on "Yes", which is grossly misleading IMO. The warning message should clearly inform the user, that he is going to execute the script, the usage of the word *view* in that context is wrong. Patrick
Created attachment 4679 [details] Tar Archive to demonstrate the trick. The attached tar.gz file illustrates the trick. The tar.gz contains an executable File named README. Opening the archive with ark and then doubleclicking the README file inside the archive will popup the ambiguos warning. If one then chooses "Yes" from the dialog the script is executed even though the dialog suggests it could be viewed. (It writes something to stdout and pops up a kdialog error Box saying "Gotcha!")
The message cannot be changed in the 3.2 branch, as messages are frozen for translation. I'll change HEAD. Please note that this is way better than what we did in 3.1 (simply execute the file, without asking anything).