Author: hdu
Date: Thu Jul 10 09:11:07 2014
New Revision: 1609426
URL: http://svn.apache.org/r1609426
Log:
#i125226# disallow absolute and relative paths for DDE servers
Modified:
openoffice/trunk/main/sfx2/source/appl/impldde.cxx
Modified: openoffice/trunk/main/sfx2/source/appl/impldde.cxx
URL:
http://svn.apache.org/viewvc/openoffice/trunk/main/sfx2/source/appl/impldde.cxx?rev=1609426&r1=1609425&r2=1609426&view=diff
==============================================================================
--- openoffice/trunk/main/sfx2/source/appl/impldde.cxx (original)
+++ openoffice/trunk/main/sfx2/source/appl/impldde.cxx Thu Jul 10 09:11:07 2014
@@ -260,19 +260,20 @@ sal_Bool SvDDEObject::Connect( SvBaseLin
// check the suitability of starting the DDE server
const SvtSecurityOptions aSecOpts;
bool bForbidden = (aSecOpts.GetMacroSecurityLevel() ==
eNEVER_EXECUTE);
- bForbidden |= (bInWinExec != sal_False);
+ bForbidden |= (sServer.SearchChar( L":./%\\") !=
STRING_NOTFOUND);
static const char* aBadServers[] = { "cmd", "rundll32" };
for( int i = 0; i < sizeof(aBadServers)/sizeof(*aBadServers);
++i)
- bForbidden |= (sServer.CompareIgnoreCaseToAscii(
aBadServers[i]) == COMPARE_EQUAL );
+ bForbidden |= (sServer.CompareIgnoreCaseToAscii(
aBadServers[i]) == COMPARE_EQUAL);
// try to start the DDE server if it is not there already
+ bForbidden |= (bInWinExec != sal_False);
if( !bForbidden )
{
ByteString aCmdLine( sServer, RTL_TEXTENCODING_ASCII_US
);
aCmdLine.Append( ".exe " );
aCmdLine.Append( ByteString( sTopic,
RTL_TEXTENCODING_ASCII_US ) );
- if( WinExec( aCmdLine.GetBuffer(), SW_SHOWMINIMIZED ) <
32 )
+ if( WinExec( aCmdLine.GetBuffer(), SW_SHOWMINIMIZED ) <
32 ) // TODO: use CreateProcess() instead
nError = DDELINK_ERROR_APP;
else
{
