--- ooo-build/patches/src680/cws-obr04-quotes.diff.0239 2007-03-30 22:03:58.000000000 +0200 +++ ooo-build/patches/src680/cws-obr04-quotes.diff 2007-03-30 22:03:58.000000000 +0200 @@ -0,0 +1,123 @@ +Index: shell/source/unix/misc/cde-open-url.sh +=================================================================== +RCS file: /cvs/gsl/shell/source/unix/misc/cde-open-url.sh,v +retrieving revision 1.3 +retrieving revision 1.3.120.1 +diff -u -p -u -p -r1.3 -r1.3.120.1 +--- shell/source/unix/misc/cde-open-url.sh 27 Sep 2005 12:54:22 -0000 1.3 ++++ shell/source/unix/misc/cde-open-url.sh 20 Dec 2006 15:03:24 -0000 1.3.120.1 +@@ -58,5 +58,5 @@ else + fi + + if [ -z "$TMPFILE" ]; then exit 1; fi +-( echo $1 > "$TMPFILE"; dtaction Open "$TMPFILE"; rm -f "$TMPFILE" ) & ++( echo "$1" > "$TMPFILE"; dtaction Open "$TMPFILE"; rm -f "$TMPFILE" ) & + exit 0 +Index: shell/source/unix/misc/gnome-open-url.sh +=================================================================== +RCS file: /cvs/gsl/shell/source/unix/misc/gnome-open-url.sh,v +retrieving revision 1.3 +retrieving revision 1.3.166.1 +diff -u -p -u -p -r1.3 -r1.3.166.1 +--- shell/source/unix/misc/gnome-open-url.sh 13 May 2005 07:31:07 -0000 1.3 ++++ shell/source/unix/misc/gnome-open-url.sh 20 Dec 2006 15:03:25 -0000 1.3.166.1 +@@ -50,6 +50,6 @@ case `uname -s` in + esac + + # use gnome-open utility coming with libgnome if available +-gnome-open $1 2>/dev/null || "$0.bin" $1 ++gnome-open "$1" 2>/dev/null || "$0.bin" $1 + + exit 0 +Index: shell/source/unix/misc/kde-open-url.sh +=================================================================== +RCS file: /cvs/gsl/shell/source/unix/misc/kde-open-url.sh,v +retrieving revision 1.2 +retrieving revision 1.2.254.1 +diff -u -p -u -p -r1.2 -r1.2.254.1 +--- shell/source/unix/misc/kde-open-url.sh 10 May 2004 13:08:06 -0000 1.2 ++++ shell/source/unix/misc/kde-open-url.sh 20 Dec 2006 15:03:25 -0000 1.2.254.1 +@@ -51,9 +51,9 @@ esac + + # special handling for mailto: uris + if echo $1 | grep '^mailto:' > /dev/null; then +- kmailservice $1 & ++ kmailservice "$1" & + else +- kfmclient openURL $1 & ++ kfmclient openURL "$1" & + fi + + exit 0 +Index: shell/source/unix/misc/open-url.sh +=================================================================== +RCS file: /cvs/gsl/shell/source/unix/misc/open-url.sh,v +retrieving revision 1.3 +retrieving revision 1.3.120.2 +diff -u -p -u -p -r1.3 -r1.3.120.2 +--- shell/source/unix/misc/open-url.sh 27 Sep 2005 12:54:42 -0000 1.3 ++++ shell/source/unix/misc/open-url.sh 20 Dec 2006 15:03:25 -0000 1.3.120.2 +@@ -96,15 +96,15 @@ esac + # special handling for mailto: uris + if echo $1 | grep '^mailto:' > /dev/null; then + # check $MAILER variable +- if [ $MAILER ]; then +- $MAILER $1 & ++ if [ ! -z "$MAILER" ]; then ++ $MAILER "$1" & + exit 0 + else + # mozilla derivates may need -remote semantics + for i in thunderbird mozilla netscape; do + mailer=`which $i` + if [ ! -z "$mailer" ]; then +- run_mozilla $mailer $1 ++ run_mozilla "$mailer" "$1" + exit 0 + fi + done +@@ -113,15 +113,15 @@ if echo $1 | grep '^mailto:' > /dev/null + fi + else + # check $BROWSER variable +- if [ $BROWSER ]; then +- $BROWSER $1 & ++ if [ ! -z "$BROWSER" ]; then ++ $BROWSER "$1" & + exit 0 + else + # mozilla derivates may need -remote semantics + for i in firefox mozilla netscape; do + browser=`which $i` + if [ ! -z "$browser" ]; then +- run_mozilla $browser $1 ++ run_mozilla "$browser" "$1" + exit 0 + fi + done +Index: scp2/source/ooo/file_ooo.scp +=================================================================== +RCS file: /cvs/installation/scp2/source/ooo/file_ooo.scp,v +retrieving revision 1.175 +retrieving revision 1.175.10.1 +diff -u -p -u -p -r1.175 -r1.175.10.1 +--- scp2/source/ooo/file_ooo.scp 13 Dec 2006 15:14:08 -0000 1.175 ++++ scp2/source/ooo/file_ooo.scp 12 Jan 2007 08:06:00 -0000 1.175.10.1 +@@ -369,7 +369,7 @@ File gid_File_Bin_Gnome_Open_Url + BIN_FILE_BODY; + Dir = gid_Dir_Program; + Name = "gnome-open-url"; +- Styles = (PACKED); ++ Styles = (PACKED, PATCH); + End + + File gid_File_Bin_Gnome_Open_Url_Bin +@@ -383,7 +383,7 @@ File gid_File_Bin_Kde_Open_Url + BIN_FILE_BODY; + Dir = gid_Dir_Program; + Name = "kde-open-url"; +- Styles = (PACKED); ++ Styles = (PACKED, PATCH); + End + + File gid_File_Bin_Cde_Open_Url --- ooo-build/patches/src680/hyperlinks-2.1.diff.0239 2007-03-30 22:03:58.000000000 +0200 +++ ooo-build/patches/src680/hyperlinks-2.1.diff 2007-03-30 22:03:58.000000000 +0200 @@ -0,0 +1,240 @@ +--- shell/source/unix/exec/shellexec.hxx.old 2005-09-07 21:54:18.000000000 +0200 ++++ shell/source/unix/exec/shellexec.hxx 2007-02-01 18:41:49.000000000 +0100 +@@ -44,6 +44,10 @@ + #include <osl/mutex.hxx> + #endif + ++#ifndef _RTL_USTRBUF_HXX_ ++#include <rtl/ustrbuf.hxx> ++#endif ++ + #ifndef _COM_SUN_STAR_LANG_XSERVICEINFO_HPP_ + #include <com/sun/star/lang/XServiceInfo.hpp> + #endif +@@ -65,6 +69,8 @@ + ::rtl::OString m_aDesktopEnvironment; + ::com::sun::star::uno::Reference< ::com::sun::star::uno::XComponentContext > + m_xContext; ++ ++ sal_Int32 SAL_CALL tryExecuteProcess( const rtl::OUString& aCommand, const rtl::OUString& aParameter ); + + public: + ShellExec(const ::com::sun::star::uno::Reference< ::com::sun::star::uno::XComponentContext >& xContext); +--- shell/source/unix/exec/shellexec.cxx.old 2006-09-17 03:41:54.000000000 +0200 ++++ shell/source/unix/exec/shellexec.cxx 2007-02-02 16:03:56.000000000 +0100 +@@ -56,10 +56,6 @@ + #include <rtl/strbuf.hxx> + #endif + +-#ifndef _RTL_USTRBUF_HXX_ +-#include <rtl/ustrbuf.hxx> +-#endif +- + #ifndef _RTL_URI_H_ + #include <rtl/uri.hxx> + #endif +@@ -124,6 +120,47 @@ + } + } + ++//------------------------------------------------------------------------ ++// helper method ++//------------------------------------------------------------------------ ++ ++sal_Int32 SAL_CALL ShellExec::tryExecuteProcess( const OUString& aCommand, const OUString& aParameter ) ++{ ++ OUString aCommandURL; ++ osl::FileBase::getFileURLFromSystemPath(aCommand, aCommandURL); ++ ++ rtl_uString *args[] = { aCommandURL.pData, aParameter.pData }; ++ oslProcess pProcess = NULL; ++ sal_Int32 rc = 1; ++ ++ oslProcessError error = osl_executeProcess( ++ args[0], /* ustrImageName */ ++ args+1, /* ustrArguments[] */ ++ 1, /* nArguments */ ++ osl_Process_WAIT | osl_Process_SEARCHPATH | osl_Process_NORMAL, /* Options */ ++ NULL, /* Security */ ++ NULL, /* ustrDirectory */ ++ NULL, /* ustrEnvironments[] */ ++ 0, /* nEnvironmentVars */ ++ &pProcess); /* pProcess*/ ++ ++ if (error == osl_Process_E_None) ++ { ++ error = osl_joinProcess( pProcess ); ++ if (error==osl_Process_E_None) ++ { ++ oslProcessInfo aProcessInfo; ++ aProcessInfo.Size = sizeof(aProcessInfo); ++ error = osl_getProcessInfo( pProcess, osl_Process_EXITCODE, &aProcessInfo ); ++ if (error==osl_Process_E_None) ++ rc = aProcessInfo.Code; ++ } ++ } ++ osl_freeProcessHandle(pProcess); ++ ++ return rc; ++} ++ + //----------------------------------------------------------------------------------------- + // + //----------------------------------------------------------------------------------------- +@@ -157,23 +194,28 @@ + void SAL_CALL ShellExec::execute( const OUString& aCommand, const OUString& aParameter, sal_Int32 /*nFlags*/ ) + throw (IllegalArgumentException, SystemShellExecuteException, RuntimeException) + { +- OStringBuffer aBuffer, aLaunchBuffer; ++ OStringBuffer aOfficeLauncher; ++ OUString aURL; ++ ++ sal_Bool bTryDesktopLauncher = sal_False; + + // DESKTOP_LAUNCH, see http://freedesktop.org/pipermail/xdg/2004-August/004489.html +- static const char *pDesktopLaunch = getenv( "DESKTOP_LAUNCH" ); ++ static const char *pDesktopLauncher = getenv( "DESKTOP_LAUNCH" ); + + // Check wether aCommand contains a document url or not + sal_Int32 nIndex = aCommand.indexOf( OUString( RTL_CONSTASCII_USTRINGPARAM(":/") ) ); + + if( nIndex > 0 || 0 == aCommand.compareToAscii("mailto:", 7) ) + { +- // It seems to be a url .. ++ // It seems to be an url .. ++ if ( pDesktopLauncher && *pDesktopLauncher ) ++ bTryDesktopLauncher = sal_True; ++ + // We need to re-encode file urls because osl_getFileURLFromSystemPath converts + // to UTF-8 before encoding non ascii characters, which is not what other apps + // expect. +- OUString aURL( +- com::sun::star::uri::ExternalUriReferenceTranslator::create( +- m_xContext)->translateToExternal(aCommand)); ++ aURL = com::sun::star::uri::ExternalUriReferenceTranslator::create( ++ m_xContext)->translateToExternal(aCommand); + if ( aURL.getLength() == 0 && aCommand.getLength() != 0 ) + { + throw RuntimeException( +@@ -183,15 +225,17 @@ + + aCommand), + static_cast< cppu::OWeakObject * >(this)); + } +- ++ ++ // URL needs furher changes depending on the launcher ++ // FIXME: Should we try pDesktopLauncher before we modify the URL? + #ifdef MACOSX +- aBuffer.append("open"); ++ aOfficeLauncher.append("open"); + #else + OUString aProgramURL; + if ( osl_Process_E_None != osl_getExecutableFile(&aProgramURL.pData) ) + { + throw SystemShellExecuteException( +- OUString(RTL_CONSTASCII_USTRINGPARAM("Cound not determine executable path")), ++ OUString(RTL_CONSTASCII_USTRINGPARAM("Cound not determine executable path")), + static_cast < XSystemShellExecute * > (this), ENOENT ); + } + +@@ -199,7 +243,7 @@ + if ( FileBase::E_None != FileBase::getSystemPathFromFileURL(aProgramURL, aProgram)) + { + throw SystemShellExecuteException( +- OUString(RTL_CONSTASCII_USTRINGPARAM("Cound not convert executable path")), ++ OUString(RTL_CONSTASCII_USTRINGPARAM("Cound not convert executable path")), + static_cast < XSystemShellExecute * > (this), ENOENT ); + } + +@@ -208,7 +252,7 @@ + OString aTmp = OUStringToOString(aProgram, osl_getThreadTextEncoding()); + nIndex = aTmp.lastIndexOf('/'); + if (nIndex > 0) +- aBuffer.append(aTmp.copy(0, nIndex+1)); ++ aOfficeLauncher.append(aTmp.copy(0, nIndex+1)); + + // Respect the desktop environment - if there is an executable named + // <desktop-environement-is>-open-url, pass the url to this one instead +@@ -216,17 +260,17 @@ + if ( m_aDesktopEnvironment.getLength() > 0 ) + { + OString aDesktopEnvironment(m_aDesktopEnvironment.toAsciiLowerCase()); +- OStringBuffer aCopy(aBuffer); ++ OStringBuffer aCopy(aOfficeLauncher); + + aCopy.append(aDesktopEnvironment); + aCopy.append("-open-url"); + + if ( 0 == access( aCopy.getStr(), X_OK) ) + { +- aBuffer.append(aDesktopEnvironment); +- aBuffer.append("-"); ++ aOfficeLauncher.append(aDesktopEnvironment); ++ aOfficeLauncher.append("-"); + +- /* CDE requires file urls to be decoded */ ++ /* CDE requires file urls to be decoded */ + if ( m_aDesktopEnvironment.equals("CDE") && 0 == aURL.compareToAscii("file://", 7) ) + { + aURL = rtl::Uri::decode(aURL, rtl_UriDecodeWithCharset, osl_getThreadTextEncoding()); +@@ -234,44 +278,30 @@ + } + } + +- aBuffer.append("open-url"); ++ aOfficeLauncher.append("open-url"); + #endif +- aBuffer.append(" \'"); +- aBuffer.append(OUStringToOString(aURL, osl_getThreadTextEncoding())); +- aBuffer.append("\'"); +- +- if ( pDesktopLaunch && *pDesktopLaunch ) +- { +- aLaunchBuffer.append( pDesktopLaunch ); +- aLaunchBuffer.append( " \'" ); +- aLaunchBuffer.append(OUStringToOString(aURL, osl_getThreadTextEncoding())); +- aLaunchBuffer.append( "\'" ); +- } + } else { +- aBuffer.append(OUStringToOString(aCommand, osl_getThreadTextEncoding())); +- aBuffer.append(" "); +- aBuffer.append(OUStringToOString(aParameter, osl_getThreadTextEncoding())); ++ aOfficeLauncher.append(OUStringToOString(aCommand, osl_getThreadTextEncoding())); ++ aURL = aParameter; + } + +- // Prefer DESKTOP_LAUNCH when available +- if ( aLaunchBuffer.getLength() > 0 ) ++ if ( bTryDesktopLauncher ) + { +- FILE *pLaunch = popen( aLaunchBuffer.makeStringAndClear().getStr(), "w" ); +- if ( pLaunch != NULL ) +- { +- if ( 0 == pclose( pLaunch ) ) +- return; +- } +- // Failed, do not try DESKTOP_LAUNCH any more +- pDesktopLaunch = NULL; ++ sal_Int32 nErr = tryExecuteProcess( OUString::createFromAscii(pDesktopLauncher), aURL); ++ if ( nErr ) ++ // Failed, do not try DESKTOP_LAUNCH any more ++ pDesktopLauncher = NULL; ++ else ++ return; + } + +- OString cmd = aBuffer.makeStringAndClear(); +- if ( 0 != pclose(popen(cmd.getStr(), "w")) ) ++ OUString aOfficeLauncherOUStr = ::rtl::OStringToOUString(aOfficeLauncher.makeStringAndClear(), osl_getThreadTextEncoding()); ++ sal_Int32 nErr = tryExecuteProcess( aOfficeLauncherOUStr, aURL); ++ if ( nErr ) + { +- int nerr = errno; +- throw SystemShellExecuteException(OUString::createFromAscii( strerror( nerr ) ), +- static_cast < XSystemShellExecute * > (this), nerr ); ++ OUString msg = OUString::createFromAscii( "Failed to execute ") + aOfficeLauncherOUStr; ++ throw SystemShellExecuteException(msg, ++ static_cast < XSystemShellExecute * > (this), nErr ); + } + } + --- ooo-build/patches/src680/apply.0239 2007-03-30 22:02:43.000000000 +0200 +++ ooo-build/patches/src680/apply 2007-03-30 22:03:58.000000000 +0200 @@ -396,6 +396,10 @@ # Added support for "application/octet-stream" mime type in package manager desktop-application-octet-stream-mime-type.diff, i#73301, flr +[ Fixes ] +# Security issue with hyper links, CVE-2007-0239 (also mdv#29975, n#241636) +hyperlinks-2.1.diff +cws-obr04-quotes.diff # extrusion depth fix svx-extrusion-depth-fix.diff, n#229874, rodo