Issue 57669 - wizard-generated form stores absolute path to database document
Summary: wizard-generated form stores absolute path to database document
Status: CLOSED FIXED
Alias: None
Product: Base
Classification: Application
Component: code (show other issues)
Version: OOo 2.0
Hardware: All All
: P3 Trivial (vote)
Target Milestone: OOo 2.0.2
Assignee: marc.neumann
QA Contact: issues@dba
URL:
Keywords: security
Depends on:
Blocks:
 
Reported: 2005-11-10 13:08 UTC by Frank Schönheit
Modified: 2006-05-31 14:29 UTC (History)
1 user (show)

See Also:
Issue Type: DEFECT
Latest Confirmation in: ---
Developer Difficulty: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.
Description Frank Schönheit 2005-11-10 13:08:32 UTC 
- open an arbitrary database document which is *not* an embedded HSQLDB database
- with the wizard, create a form based on an arbitrary table
- save and close the database document
- unzip the .odb file
- edit the content.xml file belonging to the form (usually something like
  forms/Obj11/content.xml)
=> it contains the absolute URL to the database document
Comment 1 Frank Schönheit 2005-11-10 15:19:08 UTC 
one could consider storing an absolute path to a document within a document -
without the possibility to remove it - a security issue -> keyword security
Comment 2 Frank Schönheit 2005-11-10 15:21:30 UTC 
accepting
Comment 3 Frank Schönheit 2005-12-01 11:17:38 UTC 
fixed in CWS dba202c
Comment 4 Frank Schönheit 2005-12-12 09:18:09 UTC 
fs-> msc: please verify in CWS dba202c

re-open issue and reassign to msc
Comment 5 Frank Schönheit 2005-12-12 09:18:19 UTC 
reassign to msc
Comment 6 Frank Schönheit 2005-12-12 09:18:24 UTC 
reset resolution to FIXED
Comment 7 marc.neumann 2006-01-03 09:03:52 UTC 
verified in cws dba202c
Comment 8 marc.neumann 2006-02-10 11:16:10 UTC 
Hi,

this is fixed in the current master. The current master is available at
http://download.openoffice.org/680/index.html

I close this issue now.

Bye Marc