diff options
| author | Herbert Dürr <hdu@apache.org> | 2014-07-10 09:11:07 +0000 |
|---|---|---|
| committer | Herbert Dürr <hdu@apache.org> | 2014-07-10 09:11:07 +0000 |
| commit | 6b64ada6e3a902ac4b44fe49476514d49138d4d4 (patch) | |
| tree | 132e9309000acaf95dccbc1422881bb4156517e3 | |
| parent | 727ea069c6342e01a50c8b068ec302574b251cbd (diff) | |
#i125226# disallow absolute and relative paths for DDE servers
Notes
merged as: d1fc47793c1efbe9ff5271656283211647dd0b33
| -rw-r--r-- | sfx2/source/appl/impldde.cxx | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/sfx2/source/appl/impldde.cxx b/sfx2/source/appl/impldde.cxx index 76981f96b5ea..3fbcaa77cc9a 100644 --- a/sfx2/source/appl/impldde.cxx +++ b/sfx2/source/appl/impldde.cxx @@ -260,19 +260,20 @@ sal_Bool SvDDEObject::Connect( SvBaseLink * pSvLink ) // check the suitability of starting the DDE server const SvtSecurityOptions aSecOpts; bool bForbidden = (aSecOpts.GetMacroSecurityLevel() == eNEVER_EXECUTE); - bForbidden |= (bInWinExec != sal_False); + bForbidden |= (sServer.SearchChar( L":./%\\") != STRING_NOTFOUND); static const char* aBadServers[] = { "cmd", "rundll32" }; for( int i = 0; i < sizeof(aBadServers)/sizeof(*aBadServers); ++i) - bForbidden |= (sServer.CompareIgnoreCaseToAscii( aBadServers[i]) == COMPARE_EQUAL ); + bForbidden |= (sServer.CompareIgnoreCaseToAscii( aBadServers[i]) == COMPARE_EQUAL); // try to start the DDE server if it is not there already + bForbidden |= (bInWinExec != sal_False); if( !bForbidden ) { ByteString aCmdLine( sServer, RTL_TEXTENCODING_ASCII_US ); aCmdLine.Append( ".exe " ); aCmdLine.Append( ByteString( sTopic, RTL_TEXTENCODING_ASCII_US ) ); - if( WinExec( aCmdLine.GetBuffer(), SW_SHOWMINIMIZED ) < 32 ) + if( WinExec( aCmdLine.GetBuffer(), SW_SHOWMINIMIZED ) < 32 ) // TODO: use CreateProcess() instead nError = DDELINK_ERROR_APP; else { |