Apache OpenOffice (AOO) Bugzilla – Issue 41040
FTP UCP: Prolems with bad data in URLs
Last modified: 2013-02-07 22:05:04 UTC
The FTP UCP does not detect and reject URLs that contain NULL (U+0000), LF (U+000A), and CR (U+000D), either unescaped or escaped as %00, %0A, %0D, etc. When "ftp://host/path" is a working URL, calling XContent.execute("getPropertyValues") to retrieve the "Size" property on contents corresponding to the following URLs has the following results (all string literals are in Java notation): "ftp://host/path": success "ftp://host/path\u0000foo": success (error: "\u0000foo" is silently dropped on client side) "ftp://host/path%00foo": success (error: "\u0000foo" is silently dropped on client side) "http://host/path\r\nfoo": success (error: garbage is sent from client to server) "http://host/path%0D%0Afoo": com.sun.star.ucb.InteractiveAugmentedIOException "" (error: garbage is sent from client to server) On fixing the last three cases, see the thread at <http://curl.haxx.se/mail/lib-2005-01/0172.html>. Also, inspecting ucb/source/ucp/ftp/ftpurl.cxx 1.18, all code that use curl_slist_append should ensure that it compose well-formed FTP commands (i.e., containing valid RFC 959 <string>s).
accepted
ABI->KSO: As discussed ...
.
KSO->TKR: Please take care of this issue.