Summary: | Kickoff (also maybe for alternative menus too): Security concerns | ||
---|---|---|---|
Product: | [Plasma] plasmashell | Reporter: | Gabriel Fernandes <gabrielfernnd> |
Component: | Application Launcher (Kickoff) | Assignee: | David Edmundson <kde> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | nate, plasma-bugs |
Priority: | NOR | ||
Version: | master | ||
Target Milestone: | 1.0 | ||
Platform: | Other | ||
OS: | Linux | ||
Latest Commit: | https://commits.kde.org/plasma-workspace/97bf7d777e56a451eb91731d9209fb1d55689957 | Version Fixed In: | 5.18.4 |
Description
Gabriel Fernandes
2020-03-27 19:59:08 UTC
Please don't link social media sites. File a bug properly. Edit: my reply was maybe a little curt. I see now you are probably the original reporter, which helps. In any case. Please do paste copy and paste inline. Partly for prosperity, and partly because I don't want to have to copy text from an image.. Also I'm not sure I understand from the information given. I created a file called test.png. It was really .desktop file with an Exec line I open in dolphin, it tries to open gwenview despite "file.png" showing the magic header as being ascii text. Oh sorry. I just didn't want to duplicate myself, in this case triplicate (also another report for krunner product). It doesn't work if the file have a common extension, as png, if you name it "file.png." for example, open the file to have it as a recent file when you search using kickoff or krunner, when you enter the file it will get executed. *** Bug 419308 has been marked as a duplicate of this bug. *** >open the file to have it as a recent file when you search using kickoff or krunner,
But then it's been already run? Unless the user does "open with" the first time.
I don't yet understand why it's different from the typical dolphin + executable desktop file case? If anything it's more convoluted as the user has to open the file twice.
Fix itself is pretty straightforward: https://phabricator.kde.org/P566 Generally there's not too much we can do against the .desktop situation (without also breaking things), but in this case it maybe makes sense given we know the context is recent documents. In dolphin we have 3 options. 1. You have a popup that asks you what you want to do (open or execute) 2. Set open as default, so always when you click an executable the file is opened with a default application (kate, let's say) 3. Execute without asking. Let's say you have second option set in dolphin, so one time, you clicked the file, it just got open in the text editor, fine, secure. If that file pops up in krunner/kickoff, it will only get executed, there's no the same safety mechanism dolphin has (the 2 first options). This kinda deceives you, as you don't expect the different behavior (you are certain you won't execute any untrusted executable from dolphin because of the safest options, but you might be tricked by the launcher to execute something you opened once to inspect what's in there) Ok, that's a reasnoble answer. I'll land the above. That's really good. I'm afraid it's possible to suffer from the same effect through other runners. It doesn't seem to be possible to execute a file from the "Desktop search" runner as it filters to show only truly images, audio etc. But the "Locations" runner does execute the .desktop file >But the "Locations" runner does execute the .desktop file
But that requires explicit user activity to get it in locations first, right?
Git commit 97bf7d777e56a451eb91731d9209fb1d55689957 by David Edmundson. Committed on 29/03/2020 at 15:13. Pushed by davidedmundson into branch 'Plasma/5.18'. [runners/recentdocuments] disable executables or .desktop files Summary: It's possible to have a .desktop file in your recent documents list as you were editing it. Either as a .desktop file or masquerading as something else. By default we would process the .desktop file like a .desktop file. You do get a prompt if the .desktop file is not executable like in dolphin. Given we know from context that we're showing recent "Documents" we may as well turn that behaviour off without risk of ill effects. Test Plan: Created .desktop file (masquerading as something else) Had it in my recent documents after opening in another format Loaded the file from krunner. It now opened in my text editor instead of running the Exec line Reviewers: #plasma, ngraham Reviewed By: ngraham Subscribers: ngraham, plasma-devel Tags: #plasma Differential Revision: https://phabricator.kde.org/D28369 M +2 -1 runners/recentdocuments/recentdocuments.cpp https://commits.kde.org/plasma-workspace/97bf7d777e56a451eb91731d9209fb1d55689957 >But that requires explicit user activity to get it in locations first, right? Yes, the user has to enter the location. Much less likely to happen. I just wanted to point out, even though it says open, in fact it executes the file: https://imgur.com/a/NHjKpuS |