As stated in

http://www.geekzone.co.nz/foobar/6229
http://lwn.net/Articles/319072/
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=516008

there is a nasty bug that .desktop files can execute arbitrary shell
code (or any other interpreted language) without executable bit set.

There are 2 big problems:

- .desktop files have the feature that they can get any icon, a user
might recognise it as picture or document and try to open it.

- .desktop do not honor noexec in contrast to normal shell scripts,
which won't be executed in that situation.


Both can be solved by using a shebang
 #!/usr/bin/desktop-launch

This even allows other desktop systems to execute the .desktop files
easily without special support. Of course the icon won't work then.
Fr Jul 30 13:54:24 CEST 2021
patent_button.gif valid-html401.png elektra.jpg fsfe-logo.png valid-css.png vim.gif anybrowser.gif