sfx2/source/appl/impldde.cxx | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
New commits:
commit 6b64ada6e3a902ac4b44fe49476514d49138d4d4
Author: Herbert Dürr <h...@apache.org>
Date: Thu Jul 10 09:11:07 2014 +0000
#i125226# disallow absolute and relative paths for DDE servers
diff --git a/sfx2/source/appl/impldde.cxx b/sfx2/source/appl/impldde.cxx
index 76981f9..3fbcaa7 100644
--- a/sfx2/source/appl/impldde.cxx
+++ b/sfx2/source/appl/impldde.cxx
@@ -260,19 +260,20 @@ sal_Bool SvDDEObject::Connect( SvBaseLink * pSvLink )
// check the suitability of starting the DDE server
const SvtSecurityOptions aSecOpts;
bool bForbidden = (aSecOpts.GetMacroSecurityLevel() == eNEVER_EXECUTE);
- bForbidden |= (bInWinExec != sal_False);
+ bForbidden |= (sServer.SearchChar( L":./%\\") != STRING_NOTFOUND);
static const char* aBadServers[] = { "cmd", "rundll32" };
for( int i = 0; i < sizeof(aBadServers)/sizeof(*aBadServers); ++i)
- bForbidden |= (sServer.CompareIgnoreCaseToAscii( aBadServers[i])
== COMPARE_EQUAL );
+ bForbidden |= (sServer.CompareIgnoreCaseToAscii( aBadServers[i])
== COMPARE_EQUAL);
// try to start the DDE server if it is not there already
+ bForbidden |= (bInWinExec != sal_False);
if( !bForbidden )
{
ByteString aCmdLine( sServer, RTL_TEXTENCODING_ASCII_US );
aCmdLine.Append( ".exe " );
aCmdLine.Append( ByteString( sTopic, RTL_TEXTENCODING_ASCII_US ) );
- if( WinExec( aCmdLine.GetBuffer(), SW_SHOWMINIMIZED ) < 32 )
+ if( WinExec( aCmdLine.GetBuffer(), SW_SHOWMINIMIZED ) < 32 ) //
TODO: use CreateProcess() instead
nError = DDELINK_ERROR_APP;
else
{
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
