Hi - Here is some background on the issue which has apparently existed since about OpenOffice.org 2.0 in 2005 or so.
See https://bz.apache.org/ooo/show_bug.cgi?id=49802 Some confusion existed between types of hyperlinks and rather than filtering they were all allowed to proceed. Arrigo restored the code and Carl added some protocol checks: https://github.com/apache/openoffice/commit/aa358bfc895091e0ee5382ad1d25e5d51261463b This current code will cause a warning for any http(s) hyperlinks that do not have an extension in the “whitelist.” Some think that we should blanket allow all http(s) hyperlinks so I’ve created a PR for that: https://github.com/apache/openoffice/pull/127 Topics for 4.2.0 include: (1) A better dialog box for the hyperlink security warning (2) Implement an option to allow users to choose from 3 levels of hyperlink security that is in the code, but not the settings. The levels in the code are essentially: - No Security - What we have now - And only help links All The Best, Dave > On Apr 15, 2021, at 12:34 PM, Dave Fisher <w...@apache.org> wrote: > > Hi - > > We are working on releasing 4.1.10 soon do to this security report [1] which > was announced today. > > I’d like to credit Arrigo Marchiori and Carl Marcum for development. Ariel > Constenla-Haile and Peter Kovacs for our indispensible OpenGrok setup. > Matthias Seidel, Marcus Lange, Jim Jagielski, and Don Lewis for builds and > testing. > > All The Best, > Dave > > [1] https://positive.security/blog/url-open-rce > >> On Apr 15, 2021, at 12:18 PM, Dave Fisher <w...@apache.org> wrote: >> >> Severity: moderate >> >> Description: >> >> The project received a report that all versions of Apache OpenOffice through >> 4.1.8 can open non-http(s) hyperlinks. The problem has existed since about >> 2006 and the issue is also in 4.1.9. If the link is specifically crafted >> this could lead to untrusted code execution. It is always best practice to >> be careful opening documents from unknown and unverified sources. The >> mitigation in Apache OpenOffice 4.1.10 (unreleased) assures that a security >> warning is displayed giving the user the option of continuing to open the >> hyperlink. >> >> Credit: >> >> Fabian Bräunlein and Lukas Euler of Positive Security >> >> > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
