On 28.05.21 22:04, Arrigo Marchiori wrote:
Hello all,

replying to an older message in this thread.

On Thu, May 13, 2021 at 07:23:16PM -0400, Carl Marcum wrote:

Hopefully we can collect the exceptions in the BZ issue noted in this thread
and then agree on the direction.

The few I see so far are:
1. in-document links beginning with #.
2. .uno:XXX links
3. Links to local files.

I think all 3 are candidates but that's just me.
I have bad news about number 1. Apparently, when the link is indicated
as "#anchor", it is transformed into "file://path/document.ods#anchor"
and then passed to SfxApplication::OpenDocExec_Impl()

This means that if we want to have warning-less links to the same
document, then we may have to consider the file:// protocol possibly
safe. We should then rely on extensions.

Suprisingly, the OpenDocument extensions do not seem to be included in
the standard list of safe extensions. Such list should be in
main/officecfg/registry/data/org/openoffice/Office/Security.xcu -- I
cannot recall who brought this to my attention and therefore I am
unable to credit him/her, I am sorry.

Does anyone see any possible security issues in considering the
file:// protocol safe and deciding on the target file's extension
whether to show a warning or not?

I would not go for file://. Can we go for a pattern derivated from file://path/document.ods#anchor ?

We had CVEs in the past working with file links, based odf definition and UNO. Maybe you can try the test files from those CVEs.

This is the Way! http://www.apache.org/theapacheway/index.html

To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Reply via email to