To comment on the following update, log in, then open the issue: http://www.openoffice.org/issues/show_bug.cgi?id=58013
------- Additional comments from [EMAIL PROTECTED] Thu Jan 26 16:26:34 -0800 2006 ------- Successfully replicated the bug on OOo 2.0 680m3 Build 8968 on RedHat 7.3. For some URLs, it was necessary to manually create the URL instead of typing it and then hitting enter. To manually create the URL: 1. Click on Insert > Hyperlink 2. A dialog should popup. Enter the URL in "Target" 3. Click on "Apply" 4. Click on "Close" to close the dialog box. 5. The link should appear where the cursor was. Upon further investigation, it was discovered that ( ) are not the only characters that do not work with OpenOffice. Moreover, it is possible to execute commands if correct characters are used. For example: http://www.google.com/;clear;ls (opens the webpage, clears the screen and lists all files because of ls.) I have attached a file 'List_of_Different_URLs.odt' which has various URLs with different characters and their outcomes. This has some serious implications and can be exploited easily; one can run any program with a simple usage of ";". However, it was not possible to execute commands such as echo 'this' because all whitespace in the URL was properly encoded. However, there are some characters that were not properly encoded (such as "). Presence of certain shell characters such as $ also yielded unexpected results. Below are the contents of List_of_Different_URLs.odt: ----------------------------------------------------------------------------------------- http://en.wikipedia.org/wiki/Shell_(computers) (does not work) http://en.wikipedia.org/wiki/Shell_%28computing%29 (encoded URL - works) Other Characters http://www.google.com/search?hl=$100+bill (does not render correct URL - will leave out the $1) http://unix.t-a-y-l-o-r.com/;clear;ls (opens the webpage, clears the screen and lists all files because of ls.) http://www.google.com/;exec mozilla; (gives an error, but still opens a webpage. The exec will not be executed because it encodes all whitespace to %20. No error printed in terminal. ) http://www.yahoo.com/<> (works and encodes < properly, but omits the second >; no error printed in terminal) http://www.yahoo.com/\ (works, encoded properly; no error printed in terminal) http://www.yahoo.com/"; (works, but incorrectly encoded to รข(%E2%80%9D) instead of "(%22); no error printed in terminal) http://www.yahoo.com/' (does not work- gives an error. Terminal had the following message: sh: -c line 1: unexpected EOF while looking for matching `'' sh: -c line 2: syntax error: unexpected end of file ) http://www.yahoo.com/;echo 'this'; (gives an error, but still opens a webpage. The echo will not be executed because all whitespace is properly encoded.) ----------------------------------------------------------------------------------------- --------------------------------------------------------------------- Please do not reply to this automatically generated notification from Issue Tracker. Please log onto the website and enter your comments. http://qa.openoffice.org/issue_handling/project_issues.html#notification --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
