> On May 28, 2021, at 1:04 PM, Arrigo Marchiori <ard...@yahoo.it.INVALID> wrote:
>
> Hello all,
>
> replying to an older message in this thread.
>
> On Thu, May 13, 2021 at 07:23:16PM -0400, Carl Marcum wrote:
>
> [...]
>> Hopefully we can collect the exceptions in the BZ issue noted in this thread
>> and then agree on the direction.
>>
>> The few I see so far are:
>> 1. in-document links beginning with #.
>> 2. .uno:XXX links
>> 3. Links to local files.
>>
>> I think all 3 are candidates but that's just me.
>
> I have bad news about number 1. Apparently, when the link is indicated
> as "#anchor", it is transformed into "file://path/document.ods#anchor"
> and then passed to SfxApplication::OpenDocExec_Impl()
Is it possible to check to see if "file://path/document.ods” is already open?
>
> This means that if we want to have warning-less links to the same
> document, then we may have to consider the file:// protocol possibly
> safe. We should then rely on extensions.
>
> Suprisingly, the OpenDocument extensions do not seem to be included in
> the standard list of safe extensions. Such list should be in
> main/officecfg/registry/data/org/openoffice/Office/Security.xcu -- I
> cannot recall who brought this to my attention and therefore I am
> unable to credit him/her, I am sorry.
I think it was Carl. Updating the Security.xcu file to include all trusted
extensions make sense regardless of how we choose to handle hyperlinks.
Regards,
Dave
>
> Does anyone see any possible security issues in considering the
> file:// protocol safe and deciding on the target file's extension
> whether to show a warning or not?
>
> Best regards,
> --
> Arrigo
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
> For additional commands, e-mail: dev-h...@openoffice.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org
