Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • thunar thunar
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Graph
    • Compare
  • Issues 311
    • Issues 311
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 11
    • Merge requests 11
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Releases
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • XfceXfce
  • thunarthunar
  • Issues
  • #156
Closed
Open
Issue created Feb 02, 2017 by Bugzilla Migration@bugzilla-migration

Hiding filename/extention for .desktop files with execute permission.

Submitted by Mathias Svanbäck

Assigned to Xfce Bug Triage

Link to original bug (#13329)

Description

Created attachment 6980 Screenshot of malicious .desktop file displayed in Thunar

Hiding the filename/extention may be used to trick users to execute arbitrary code.

How to reproduce:

  1. Create a file called malware.desktop

  2. Add the following content to it:

[Desktop Entry] Name=CV.pdf Exec=sh -c 'touch ./MALWARE_WAS_HERE' Terminal=false Icon=x-office-document Type=Application Categories=Office

  1. Make it executable

Thunar displays the file like that: (see attachment)

Once the user opens the file the Exec entry is executed without any confirmation. By hiding the filename and therefore also the filename extension users can easily be tricked to execute arbitrary code when some ships files like that in an archive which preserves execute permissions.

How to fix it:

Maybe by don't hiding the filename for .desktop files at all.

/u/wander_homer brought it up https://www.reddit.com/r/linux/comments/5r6va0/how_to_easily_trick_file_manager_users_to_execute/

For reference, this bug also applies to other file managers: https://github.com/lxde/pcmanfm-qt/issues/449 https://github.com/mate-desktop/caja/issues/727 https://github.com/linuxmint/nemo/issues/1404

Attachment 6980, "Screenshot of malicious .desktop file displayed in Thunar":
Screenshot_2017-02-02_19-14-19

Version: 1.6.10

Assignee
Assign to
Time tracking