Hello all,

replying to an older message in this thread.

On Thu, May 13, 2021 at 07:23:16PM -0400, Carl Marcum wrote:

> Hopefully we can collect the exceptions in the BZ issue noted in this thread
> and then agree on the direction.
> The few I see so far are:
> 1. in-document links beginning with #.
> 2. .uno:XXX links
> 3. Links to local files.
> I think all 3 are candidates but that's just me.

I have bad news about number 1. Apparently, when the link is indicated
as "#anchor", it is transformed into "file://path/document.ods#anchor"
and then passed to SfxApplication::OpenDocExec_Impl()

This means that if we want to have warning-less links to the same
document, then we may have to consider the file:// protocol possibly
safe. We should then rely on extensions.

Suprisingly, the OpenDocument extensions do not seem to be included in
the standard list of safe extensions. Such list should be in
main/officecfg/registry/data/org/openoffice/Office/Security.xcu -- I
cannot recall who brought this to my attention and therefore I am
unable to credit him/her, I am sorry.

Does anyone see any possible security issues in considering the
file:// protocol safe and deciding on the target file's extension
whether to show a warning or not?

Best regards,

To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Reply via email to