Created attachment 1247064 [details]
Screenshot how is possible.
All Gnome 3 Nautilus versions are affected.
How to reproduce:
1. Create a file called malware.desktop
2. Add the following content to it:
Exec=sh -c 'touch ~/MALWARE_WAS_HERE'
3. Make it executable
Nautilus displays the file like that: (see attachment)
Once the user opens the file the Exec entry is executed without any confirmation. By hiding the filename and therefore also the filename extension users can easily be tricked to execute arbitrary code when some ships files like that in an archive which preserves execute permissions. Especially since nowadays Nautilus even extracts archives with a simple double click.
How to fix it:
Maybe by don't hiding the filename for .desktop files at all.
This was fixed upstream and will be present in the next RHEL version.