Hello Carl, All, On Sat, Jun 05, 2021 at 03:47:12PM -0400, Carl Marcum wrote:
> Hi Arrigo, > > On 6/5/21 9:50 AM, Arrigo Marchiori wrote: > > Dear Matthias, Czesław, All, > > > > On Sat, Jun 05, 2021 at 12:39:16PM +0200, Matthias Seidel wrote: > > > > > Hi Czesław, > > > > > > Am 05.06.21 um 12:35 schrieb Czesław Wolański: > > > > Hi Matthias, all > > > > > > > > A preliminary check in Calc (Windows 7, 64-bit) > > > > > > > > (1) in-document links beginning with # > > > > test: button with link to other sheet > > > > result: OK (no security warning) > > > > > > > > (2) .uno:XXX links > > > > result: security warning > > > > > > > > (3) Links to local files > > > > test: the "Hyperlink" dialog, button "WWW Browser" > > > > result: OK (no security warning) > > > That's what I expected, since the patches are for file:// > > > > > > .uno: hasn't been addressed yet > > > > > > @Arrigo: correct me if I am wrong ;-) > > You should have just become wrong ;-) > > > > I found out that there are many checks on the URL protocol. I suggest > > that the warning was not checked at the right moment, but too soon. > > > > Because we had a report of unexpected _execution_ of malicious links, > > I suggest we leave the safety check on hyperlinks _just before calling > > the OS to execute them_. > > > > The result is that HTTP, HTTPS, but also "uno:" and all other > > protocols already understood by AOO are not checked, and no warnings > > will appear. We could argue that their safety must be assured by the > > code handling them, as we accepted to delegate the browser for > > Internet links. > > > > The latest commit, just pushed to branch bug128453, moves the check > > for "safe extensions" (or directory) from the beginning of hyperlinks' > > processing, to just before the execution of the link target by the OS. > > The protocol is not checked any more, because supported protocols > > are already filtered out and processed at that point. > > > > This should make all links to non-files work again, and still warn > > users when they are going to open JAR's, EXE's and other unknown > > types. > > > > What do you think about this? > I like your thinking on this. > I'll build this branch on Linux and test using some of the test documents > and ones I've made to make sure I understand the different cases. > Then I'll report back. You can find my 64 bit Linux builds here: https://home.apache.org/~ardovm/openoffice/bug128453/ I tried the "beta" option of the build script... I hope it works. Thank you for your cooperation! Best regards, -- Arrigo --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
