Re: Fwd: Using xdg-open in /etc/mailcap causes hole in Firefox (Demonstration/Exploit included)

["Bernhard R. Link" <brlink () debian org>]

* Josh Bressers <bressers () redhat com> [090106 20:47]:
> Here's a heads up for everyone (I've CCd the discoverer)
> ----- Forwarded Message -----
[...]
> This page delivers a .desktop file with the mime-type "application/pdf". In default configuration, Firefox offers to 
> open this file with the default application, which is xdg-open. Just one click on "OK" (and most users won't have a 
> closer look at the dialog!) and the content in the .desktop file is immediately executed!

I guess that is what people get for reinventing "see", they get the
exact same security problems other browser/"generic viewer" combinations
had years ago....

And xdg-open had not even a way to specify the mime-type...
</rant>

        Bernhard R. Link