Hello All, On Wed, Jun 02, 2021 at 01:00:08PM -0700, Dave Fisher wrote:
> > On Jun 2, 2021, at 11:58 AM, Marcus <marcus.m...@wtnet.de> wrote: > > > > Am 02.06.21 um 00:07 schrieb Peter Kovacs: > >> On 01.06.21 21:57, Arrigo Marchiori wrote: > >>>>> I would not go for file://. Can we go for a pattern derivated from > >>>>> file://path/document.ods#anchor ? > >>> I am not sure I understand your question, Peter. > >>> > >> I am suggesting not to trust file:// in general, but the anchored URL, > > > > yes, the securty report is talking about nin-http(s) links, And "ile" is > > not http. There we have to treat this as insecure. > > > >> maybe file://*#anchor if you like. > >> But maybe I got this URL wrong. > > > > Hm, I don't see how an anchor makes the document more secure. ;-) > > We need to know if the file:// is already open. We might be able to know whether the file is already open, if it is an AOO document. But what if the file is a JPG image? Or a MP3 audio? Should it not be considered safe as well? And for what I know, AOO cannot open images or MP3's as documents. Judging on the file extension seems to me the best way to follow, at least for the file:/// protocol and any other protocols that rely on XSystemShellExecute::execute(). I hope this makes sense. -- Arrigo --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
