Re: Nautilus, metadata and extendet attributes



> > Would you PLEASE care to show us an example? Your statement does not 
> > become true by repeating it a dozen times!
> 
> Is that a bad joke ? I get nearly *one hundred* Windows virus daily
> which exploit the fact that stupid people encoded metadata into the
> filename.

I think I know what you mean, but it's still not likely to happen with
the new mime detection approach, at least not on a standard setup.

On Windows an email virus spreads by attaching a file like
"letter.doc.vbs" to the mail. Users quickly look at the filename, only
see the "letter.doc" part, and decide to open the file. Windows sees the
.vbs extension and opens the file with the VB Script interpreter. Voila,
you've just run a script on the system. The same goes for .js, .exe,
.com, .bat, .com, .cmd, and other extensions.

However, this couldn't happen on a standard Linux setup because a file
doesn't get executed unless the execute bit is set. Luckily you can't
include file permissions in an attachement, so to run a file the user
has to first save it to disk, manually set the execute permissions, and
then double-click it.

So, imagine someone attaches a file called "balance sheet.gnumeric" that
is actually a shell script. If you save the file to disk and
double-click it, Nautilus will perform the content sniffing. It now
either decides it still is a Gnumeric file and opens it in Gnumeric, or
Nautilus will detect it's a shell script and open it in a text editor. I
just tested with Nautilus 2.4.1 and if a shell script is not set
executable, then Nautilus just opens it in my text editor and doesn't
even give me the choice to run it.

Of course, a user might directly associate their interpreter with script
files using the control center. If Nautilus performs sniffing and finds
out the Gnumeric file is actually a Perl script and then opens it with
the associated Perl interpreter, you would be in trouble. This is even
worse than on Windows, since even an alert user wouldn't notice anything
is wrong until he at least selected the file to force content sniffing
to happen.

I think some consideration should be put into how we handle the case
where the extension and sniffed file type don't match. I think a warning
dialog would be appropriate in this case.

- Frank




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]