Re: Nautilus, metadata and extendet attributes



El sáb, 31-01-2004 a las 15:14, Frank Worsley escribió:

> On Windows an email virus spreads by attaching a file like
> "letter.doc.vbs" to the mail. Users quickly look at the filename, only
> see the "letter.doc" part, and decide to open the file. Windows sees the
> .vbs extension and opens the file with the VB Script interpreter. Voila,
> you've just run a script on the system. The same goes for .js, .exe,
> .com, .bat, .com, .cmd, and other extensions.
> 
> However, this couldn't happen on a standard Linux setup because a file
> doesn't get executed unless the execute bit is set. Luckily you can't
> include file permissions in an attachement, so to run a file the user
> has to first save it to disk, manually set the execute permissions, and
> then double-click it.

Wine executes windows executables that you provide on its command line
via the "wine" command.  I don't know if it blocks files by extension,
but I'm sure "filtering extensions" is a stupid idea anyway.  Note that
Wine doesn't require EXE files to be chmod +x.

> 
> Of course, a user might directly associate their interpreter with script
> files using the control center. If Nautilus performs sniffing and finds
> out the Gnumeric file is actually a Perl script and then opens it with
> the associated Perl interpreter, you would be in trouble. This is even
> worse than on Windows, since even an alert user wouldn't notice anything
> is wrong until he at least selected the file to force content sniffing
> to happen.
> 
> I think some consideration should be put into how we handle the case
> where the extension and sniffed file type don't match. I think a warning
> dialog would be appropriate in this case.

These corner cases are caused because of the use of extensions.  Design
decisions do take their toll on programmer time and potential defects.

We're late on the development phase (by ten years) but it's never late
to change to something more correct.  Staying with wrong approaches will
eventually lead to more defects and more costs for the end-user.

> 
> - Frank
-- 
	Manuel Amador (Rudd-O)
	GPG key ID: 0xC1033CAD at keyserver.net

Attachment: signature.asc
Description: Esta parte del mensaje =?ISO-8859-1?Q?est=E1?= firmada digitalmente



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]