Issue 57669

Summary: wizard-generated form stores absolute path to database document
Product: Base Reporter: Frank Schönheit <frank.schoenheit>
Component: codeAssignee: marc.neumann
Status: CLOSED FIXED QA Contact: issues@dba <issues>
Severity: Trivial    
Priority: P3 CC: issues
Version: OOo 2.0Keywords: security
Target Milestone: OOo 2.0.2   
Hardware: All   
OS: All   
Issue Type: DEFECT Latest Confirmation in: ---
Developer Difficulty: ---

Description Frank Schönheit 2005-11-10 13:08:32 UTC 
- open an arbitrary database document which is *not* an embedded HSQLDB database
- with the wizard, create a form based on an arbitrary table
- save and close the database document
- unzip the .odb file
- edit the content.xml file belonging to the form (usually something like
  forms/Obj11/content.xml)
=> it contains the absolute URL to the database document
Comment 1 Frank Schönheit 2005-11-10 15:19:08 UTC 
one could consider storing an absolute path to a document within a document -
without the possibility to remove it - a security issue -> keyword security
Comment 2 Frank Schönheit 2005-11-10 15:21:30 UTC 
accepting
Comment 3 Frank Schönheit 2005-12-01 11:17:38 UTC 
fixed in CWS dba202c
Comment 4 Frank Schönheit 2005-12-12 09:18:09 UTC 
fs-> msc: please verify in CWS dba202c

re-open issue and reassign to msc
Comment 5 Frank Schönheit 2005-12-12 09:18:19 UTC 
reassign to msc
Comment 6 Frank Schönheit 2005-12-12 09:18:24 UTC 
reset resolution to FIXED
Comment 7 marc.neumann 2006-01-03 09:03:52 UTC 
verified in cws dba202c
Comment 8 marc.neumann 2006-02-10 11:16:10 UTC 
Hi,

this is fixed in the current master. The current master is available at
http://download.openoffice.org/680/index.html

I close this issue now.

Bye Marc