You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@openoffice.apache.org by hd...@apache.org on 2014/07/10 11:11:07 UTC
svn commit: r1609426 - /openoffice/trunk/main/sfx2/source/appl/impldde.cxx
Author: hdu
Date: Thu Jul 10 09:11:07 2014
New Revision: 1609426
URL: http://svn.apache.org/r1609426
Log:
#i125226# disallow absolute and relative paths for DDE servers
Modified:
openoffice/trunk/main/sfx2/source/appl/impldde.cxx
Modified: openoffice/trunk/main/sfx2/source/appl/impldde.cxx
URL: http://svn.apache.org/viewvc/openoffice/trunk/main/sfx2/source/appl/impldde.cxx?rev=1609426&r1=1609425&r2=1609426&view=diff
==============================================================================
--- openoffice/trunk/main/sfx2/source/appl/impldde.cxx (original)
+++ openoffice/trunk/main/sfx2/source/appl/impldde.cxx Thu Jul 10 09:11:07 2014
@@ -260,19 +260,20 @@ sal_Bool SvDDEObject::Connect( SvBaseLin
// check the suitability of starting the DDE server
const SvtSecurityOptions aSecOpts;
bool bForbidden = (aSecOpts.GetMacroSecurityLevel() == eNEVER_EXECUTE);
- bForbidden |= (bInWinExec != sal_False);
+ bForbidden |= (sServer.SearchChar( L":./%\\") != STRING_NOTFOUND);
static const char* aBadServers[] = { "cmd", "rundll32" };
for( int i = 0; i < sizeof(aBadServers)/sizeof(*aBadServers); ++i)
- bForbidden |= (sServer.CompareIgnoreCaseToAscii( aBadServers[i]) == COMPARE_EQUAL );
+ bForbidden |= (sServer.CompareIgnoreCaseToAscii( aBadServers[i]) == COMPARE_EQUAL);
// try to start the DDE server if it is not there already
+ bForbidden |= (bInWinExec != sal_False);
if( !bForbidden )
{
ByteString aCmdLine( sServer, RTL_TEXTENCODING_ASCII_US );
aCmdLine.Append( ".exe " );
aCmdLine.Append( ByteString( sTopic, RTL_TEXTENCODING_ASCII_US ) );
- if( WinExec( aCmdLine.GetBuffer(), SW_SHOWMINIMIZED ) < 32 )
+ if( WinExec( aCmdLine.GetBuffer(), SW_SHOWMINIMIZED ) < 32 ) // TODO: use CreateProcess() instead
nError = DDELINK_ERROR_APP;
else
{