Comment 10 for bug 197804

This might be a tough one to fix. If I understand correctly, RLO and LRO are often used while internationalizing text. Nautilus normally doesn't do anything tricky when displaying names. We just pass them over to Pango to be rendered and display them. We could fix it on a per-locale basis, but we would still get it wrong for a lot of people (e.g. people who use one locale but have files with names from different locales).

Per the most common and worrisome case, when launching a script from Nautilus, we ask whether you want to edit it or launch it beforehand, which mostly defeats this attack. The only remaining vector then would be to use a specially crafted Desktop Entry file, which is a different bug altogether (Nautilus could be a lot more picky about launching these). I think the Wine+EXE case is even more specific and rare than the two mentioned above.

Anyways, feel free to forward it upstream and/or work on it if you like.