[Libreoffice-bugs] [Bug 140886] New: Allow hyperlink opening on file with execute bit set ref. CVE-2019-9847
bugzilla-daemon at bugs.documentfoundation.org
bugzilla-daemon at bugs.documentfoundation.org
Mon Mar 8 14:35:04 UTC 2021
https://bugs.documentfoundation.org/show_bug.cgi?id=140886
Bug ID: 140886
Summary: Allow hyperlink opening on file with execute bit set
ref. CVE-2019-9847
Product: LibreOffice
Version: 6.2.3.2 release
Hardware: All
OS: Mac OS X (All)
Status: UNCONFIRMED
Severity: normal
Priority: medium
Component: LibreOffice
Assignee: libreoffice-bugs at lists.freedesktop.org
Reporter: cv at eaimpianti.it
Description:
As of now opening setting up a link pointing to a file with 'x' permission
(execute -rwx------ for example) on MacOS or Linux (using CMD+K or HYPERLINK
function) result in a generic error that say: "PATH is not an absolute URL that
can be passed to an external application to open it.".
Apart from it to be misleading because the path DOES exist, it is also
counterproductive in the scenario we have the link pointing to an SMB (CIFS)
sharing, here is not always easy to set the right permissions so we usually
have the execute bit always set, even on PDF files for example, resulting in
the impossibility to open that file.
A much better handle of the problem would be to open a dialog with a big alert
warning saying that the file is executable and we should be careful with it,
and so give user the ability to choose what to do.
Steps to Reproduce:
1. Create a link with CMD+X (or CTRL+K) or HYPERLINK function
2. Point it to a PDF with the executable bit set (with chmod 700 for example)
3. Try to open it
Actual Results:
It gives an error as expected (even if the phrasing is misleading). But this is
not a good implementation and lead to problems on SMB shares.
Expected Results:
Give user the choice to open or not the file with a big warning! Because many
times this can be a false positive
Reproducible: Always
User Profile Reset: Yes
Additional Info:
Version: 7.0.4.2
Build ID: dcf040e67528d9187c66b2379df5ea4407429775
CPU threads: 4; OS: Mac OS X 10.16; UI render: GL; VCL: osx
Locale: it-IT (it_IT.UTF-8); Interfaccia utente: it-IT
Calc: threaded
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/libreoffice-bugs/attachments/20210308/1d0ba723/attachment.htm>
More information about the Libreoffice-bugs
mailing list