Issue 92940 - editing of shared basic extension possible
Summary: editing of shared basic extension possible
Status: CLOSED FIXED
Alias: None
Product: App Dev
Classification: Unclassified
Component: scripting (show other issues)
Version: 3.3.0 or older (OOo)
Hardware: Unknown All
: P2 Trivial
Target Milestone: ---
Assignee: joerg.skottke
QA Contact: Unknown
URL:
Keywords:
: 93635 (view as issue list)
Depends on:
Blocks: 88888
  Show dependency tree
 
Reported: 2008-08-20 10:19 UTC by Oliver Brinzing
Modified: 2013-02-24 21:01 UTC (History)
1 user (show)

See Also:
Issue Type: DEFECT
Latest Confirmation in: ---
Developer Difficulty: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.
Description Oliver Brinzing 2008-08-20 10:19:58 UTC 
it's possible to *edit* basic code, deployed inside shared extensions.
changes will be removed after restart.
IMHO this could be a security issue.

in oo 241 editing of shared basic was not possible at all.
Comment 1 kay.ramme 2008-08-20 14:39:57 UTC 
Andreas, please have a look ... 

Thanks 

    Kay
Comment 2 ab 2008-08-20 15:09:11 UTC 
ab->brinzing: I don't understand in which way this should effect security.
Could you please explain. STARTED, 3.1 for now
Comment 3 Oliver Brinzing 2008-08-20 16:33:20 UTC 
> I don't understand in which way this should effect security.

a user should not be able to add/change/replace shared code ...
Comment 4 ab 2008-09-09 14:12:59 UTC 
If the shared code stored on a device where the user has no write access,
it's not possible to commit any changes anyway. So I see no real security
issue here, but I agree that setting shared extension libs to read only
would be better.

But: As notified by a user on the extensions dev mailing list this problem
also applies to user extensions. They can be edited but saving the changes
does not succeed. This is a regression and as discussed with mh it will
be fixed as 3.0 showstopper in the scope of this issue.

Additionally libraries in shared extensions will be made read only like all
pre installed shared libraries.

-> OOo 3.0, P2 (data loss)
Comment 5 ab 2008-09-09 16:44:20 UTC 
FIXED
Comment 6 ab 2008-09-09 16:46:52 UTC 
ab->jsk: To test, take any extension containing Basic (for convenience:
Q:\bugdoc\bis93000\i92940_ExtensionWithBasicLib.oxt) and install it
1. in user
The library's Basic modules should be editable as before. When saving
and restarting the Office (without quickstarter!) the changes should
still be there. Before they were lost.
2. in shared
The library's Basic modules shouldn't be editable any more like
all pre installed libraries (Euro, Tools, etc.).
The extension must *not* be added to user/basic/script.xlc + dialog.xlc
Comment 7 joerg.skottke 2008-09-10 10:38:47 UTC 
Cannot test Linux, as the provided build is a tgz-archive which installs into
the users home directory which again gives the user full read/write access to
the shared layer. Unpacking the archive to /opt as root is known to give an
unusable installation.
Comment 8 joerg.skottke 2008-09-10 12:07:38 UTC 
Verified using the suggested sample extension.
Owners can write (and survive restart), non owners cannot alter module in BASIC IDE
Comment 9 ab 2008-09-11 14:51:45 UTC 
*** Issue 93635 has been marked as a duplicate of this issue. ***
Comment 10 joerg.skottke 2008-10-23 13:58:54 UTC 
Verified, BASIC from shared context cannot be edited (though marked and copied),
changes to BASIC in user context is possible and saved ok. Closing