Bugzilla – Bug 2714
"Name" key value collides with file names and that will misguide users
Last modified: 2009-02-18 03:24:17 UTC
If I've understood it correctly, the "Name" key specifies what programs ej: file
managers should show to user.
This can cause at least two kind of issues, one of them somewhat related with
security as seen in "other OSes"
Problem 1: What user sees is not what is there:
How to Reproduce:
Step 1) Create a foo.desktop file with Name="foo"
Step 2) Create another foo.desktop file in the gnome panel with Name="bar"
Step 3) Try to drag panel's foo.desktop file to user's desktop.
Bug: He'll get a warning because he's trying to overwrite "foo.desktop" with
"foo.desktop". User was just seeing "foo" and "bar". He'll never know that "foo"
and "bar" had the same name ie: the concept behind the "Name" key is broken
Problem 2: What user executes is not what he sees
How to reproduce:
Step 1) Create a whatever.desktop file
Step 2) Set Name="Natalie Portman Nude.jpg"
Step 3) Set Run=evil-executable
Bug: This is a well-learnt lesson from "another OS", where user thinks he's
opening a image and he's running a evil program, I don't think it needs more
How to Fix: Deprecate the "Name" Key for future versions. Name's primary reason
of existence seems to be "automatic translation of user's visible strings", and
it makes that very easy, but it's too dangerous. Alternative methods for
achieving the same goals should be developed. "Name" solves only one problem but
it causes more, just like the "executable MIME type" in Windows. Developers can
user the file name as temporary place to put the "user's visible string" until a
better solution is adopted.
I think the bugzilla component should be restricted to typos, unclear statements
in the spec and things like that. This isn't a good place to debate
philosophical disagreements with the specification. (You can try xdg-list,
but my expectation is that there will be no enthusiasm for an incompatible
change in the specification in this area.)
wow, that was a fast answer!
Thanks, I'll try...altough I don't expect to succed either ;(
One of the key issues with deprecating the 'name' aliasing to the desktop file mechanism, is it is required for separating the user's language preference from the filesystem, eg:
'Trash.desktop' appears in whatever language the user's locale is set to, rather than generating multiple unmanaged trash entries when he/she logs in with another one.
The real underlying issue would thus be: how was the desktop file running 'evil-executable' created? Clearly if there is a vector to do this, far worse can be accomplished, yet it'll still execute as a normal user, not being able to harm the system.