Bug 1418632
Summary: | Nautilus hides filename for .desktop files with execute permission | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Peter <petercheco> | ||||
Component: | nautilus | Assignee: | Carlos Soriano <csoriano> | ||||
Status: | CLOSED UPSTREAM | QA Contact: | Desktop QE <desktop-qa-list> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 7.3 | ||||||
Target Milestone: | rc | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2017-02-21 09:17:29 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
This was fixed upstream and will be present in the next RHEL version. https://git.gnome.org/browse/nautilus/commit/?id=1630f53481f445ada0a455e9979236d31a8d3bb0 |
Created attachment 1247064 [details] Screenshot how is possible. All Gnome 3 Nautilus versions are affected. How to reproduce: 1. Create a file called malware.desktop 2. Add the following content to it: [Desktop Entry] Name=CV.pdf Exec=sh -c 'touch ~/MALWARE_WAS_HERE' Terminal=false Icon=x-office-document Type=Application Categories=Office 3. Make it executable Nautilus displays the file like that: (see attachment) Once the user opens the file the Exec entry is executed without any confirmation. By hiding the filename and therefore also the filename extension users can easily be tricked to execute arbitrary code when some ships files like that in an archive which preserves execute permissions. Especially since nowadays Nautilus even extracts archives with a simple double click. How to fix it: Maybe by don't hiding the filename for .desktop files at all.