Bug 1418632

Summary: Nautilus hides filename for .desktop files with execute permission
Product: Red Hat Enterprise Linux 7 Reporter: Peter <petercheco>
Component: nautilusAssignee: Carlos Soriano <csoriano>
Status: CLOSED UPSTREAM QA Contact: Desktop QE <desktop-qa-list>
Severity: high Docs Contact:
Priority: unspecified    
Version: 7.3   
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-02-21 09:17:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Screenshot how is possible. none

Description Peter 2017-02-02 11:49:37 UTC 
Created attachment 1247064 [details]
Screenshot how is possible.

All Gnome 3 Nautilus versions are affected.

How to reproduce:

1. Create a file called malware.desktop 

2. Add the following content to it:

[Desktop Entry]
Name=CV.pdf
Exec=sh -c 'touch ~/MALWARE_WAS_HERE'
Terminal=false
Icon=x-office-document
Type=Application
Categories=Office

3. Make it executable

Nautilus displays the file like that: (see attachment)

Once the user opens the file the Exec entry is executed without any confirmation. By hiding the filename and therefore also the filename extension users can easily be tricked to execute arbitrary code when some ships files like that in an archive which preserves execute permissions. Especially since nowadays Nautilus even extracts archives with a simple double click.

How to fix it:

Maybe by don't hiding the filename for .desktop files at all.
Comment 2 Carlos Soriano 2017-02-21 09:17:29 UTC 
This was fixed upstream and will be present in the next RHEL version.
https://git.gnome.org/browse/nautilus/commit/?id=1630f53481f445ada0a455e9979236d31a8d3bb0