Author: hdu Date: Thu Jul 10 09:11:07 2014 New Revision: 1609426 URL: http://svn.apache.org/r1609426 Log: #i125226# disallow absolute and relative paths for DDE servers
Modified: openoffice/trunk/main/sfx2/source/appl/impldde.cxx Modified: openoffice/trunk/main/sfx2/source/appl/impldde.cxx URL: http://svn.apache.org/viewvc/openoffice/trunk/main/sfx2/source/appl/impldde.cxx?rev=1609426&r1=1609425&r2=1609426&view=diff ============================================================================== --- openoffice/trunk/main/sfx2/source/appl/impldde.cxx (original) +++ openoffice/trunk/main/sfx2/source/appl/impldde.cxx Thu Jul 10 09:11:07 2014 @@ -260,19 +260,20 @@ sal_Bool SvDDEObject::Connect( SvBaseLin // check the suitability of starting the DDE server const SvtSecurityOptions aSecOpts; bool bForbidden = (aSecOpts.GetMacroSecurityLevel() == eNEVER_EXECUTE); - bForbidden |= (bInWinExec != sal_False); + bForbidden |= (sServer.SearchChar( L":./%\\") != STRING_NOTFOUND); static const char* aBadServers[] = { "cmd", "rundll32" }; for( int i = 0; i < sizeof(aBadServers)/sizeof(*aBadServers); ++i) - bForbidden |= (sServer.CompareIgnoreCaseToAscii( aBadServers[i]) == COMPARE_EQUAL ); + bForbidden |= (sServer.CompareIgnoreCaseToAscii( aBadServers[i]) == COMPARE_EQUAL); // try to start the DDE server if it is not there already + bForbidden |= (bInWinExec != sal_False); if( !bForbidden ) { ByteString aCmdLine( sServer, RTL_TEXTENCODING_ASCII_US ); aCmdLine.Append( ".exe " ); aCmdLine.Append( ByteString( sTopic, RTL_TEXTENCODING_ASCII_US ) ); - if( WinExec( aCmdLine.GetBuffer(), SW_SHOWMINIMIZED ) < 32 ) + if( WinExec( aCmdLine.GetBuffer(), SW_SHOWMINIMIZED ) < 32 ) // TODO: use CreateProcess() instead nError = DDELINK_ERROR_APP; else {