[Folder View] Don't show script execution prompt on desktop:/
ClosedPublic

Authored by broulik on Feb 9 2017, 6:01 PM.

Details

Summary

This utterly breaks the workflow of users when you have a default desktop containment and then some application shortcuts on there.

Test Plan

No longer get that prompt for when I have a regular folderview containment but still have it for other places where I wouldn't expect executable things.
We still have the prompt for non-executable "untrusted" desktop files (which btw comes even if you accepted the first prompt...)

Diff Detail

Repository
R119 Plasma Desktop
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.
broulik retitled this revision from to [Folder View] Don't show script execution prompt on desktop:/.Feb 9 2017, 6:01 PM
broulik updated this object.
broulik edited the test plan for this revision. (Show Details)
broulik added reviewers: Plasma, hein, fvogt, dfaure.
broulik set the repository for this revision to R119 Plasma Desktop.
Restricted Application added a project: Plasma. · View Herald TranscriptFeb 9 2017, 6:01 PM
Restricted Application added a subscriber: plasma-devel. · View Herald Transcript
broulik updated this revision to Diff 11130.Feb 9 2017, 6:21 PM
  • Check for the location of the URL we're trying to run instead of the main folder view url (indirectly through parseDesktopFile), this way when opening a subfolder in desktop:/ through cascading it will again ask for confirmation
davidedmundson accepted this revision.Feb 9 2017, 6:25 PM
davidedmundson added a reviewer: davidedmundson.
This revision is now accepted and ready to land.Feb 9 2017, 6:25 PM
dfaure requested changes to this revision.Feb 9 2017, 6:28 PM

This reintroduces the security bug that this whole thing was about in the first place.

Download some file from the internet, save on desktop, click on it - boom.
The Unix principle is that you must make the file executable first before it will actually execute anything.

This revision now requires changes to proceed.Feb 9 2017, 6:28 PM
dfaure added a comment.Feb 9 2017, 6:29 PM

The code that creates the application shortcuts that you mention, should make them executable.

broulik added a comment.EditedFeb 9 2017, 6:39 PM

The "untrusted non-executable desktop file" and "script execution prompt" are completely orthogonal (for some reason).

With this patch I still get the security warning:

  • non-executable .desktop file on some random location: → "would you like to run or open this file?" → Run → "If you don't trust this application, click Cancel"
  • executable .desktop file on some random location: → "would you like to run or open this file?"
  • non-executable .desktop file on desktop: → "If you don't trust this application, click Cancel"
  • executable .desktop file on desktop → runs right away

What I changed is that I no longer get the "would you like to run or open this file?" prompt for executable .desktop files on desktop:/ which breaks the workflow of many.

dfaure accepted this revision.Feb 9 2017, 6:42 PM

Oh I see.

This revision is now accepted and ready to land.Feb 9 2017, 6:42 PM
hein accepted this revision.Feb 10 2017, 9:04 AM
This revision was automatically updated to reflect the committed changes.