Hello all, replying to an older message in this thread.
On Thu, May 13, 2021 at 07:23:16PM -0400, Carl Marcum wrote: [...] > Hopefully we can collect the exceptions in the BZ issue noted in this thread > and then agree on the direction. > > The few I see so far are: > 1. in-document links beginning with #. > 2. .uno:XXX links > 3. Links to local files. > > I think all 3 are candidates but that's just me. I have bad news about number 1. Apparently, when the link is indicated as "#anchor", it is transformed into "file://path/document.ods#anchor" and then passed to SfxApplication::OpenDocExec_Impl() This means that if we want to have warning-less links to the same document, then we may have to consider the file:// protocol possibly safe. We should then rely on extensions. Suprisingly, the OpenDocument extensions do not seem to be included in the standard list of safe extensions. Such list should be in main/officecfg/registry/data/org/openoffice/Office/Security.xcu -- I cannot recall who brought this to my attention and therefore I am unable to credit him/her, I am sorry. Does anyone see any possible security issues in considering the file:// protocol safe and deciding on the target file's extension whether to show a warning or not? Best regards, -- Arrigo --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
