Bug Hunting Session
Bug 70833 - PDF Export: (some) hyperlinks changes from http to file scheme after export
Summary: PDF Export: (some) hyperlinks changes from http to file scheme after export
Status: RESOLVED FIXED
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: Printing and PDF export (show other bugs)
Version:
(earliest affected)
4.0.6.2 release
Hardware: All All
: medium major
Assignee: Stephan Bergmann
URL:
Whiteboard: target:5.1.0
Keywords: security
Depends on:
Blocks:
 
Reported: 2013-10-24 09:37 UTC by Sven-Jacobi
Modified: 2016-10-25 19:17 UTC (History)
5 users (show)

See Also:
Crash report or crash signature:


Attachments
demo document with http hyperlink (7.53 KB, application/vnd.oasis.opendocument.text)
2013-10-24 09:37 UTC, Sven-Jacobi
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Sven-Jacobi 2013-10-24 09:37:10 UTC
Created attachment 88071 [details]
demo document with http hyperlink

The attached document contains following hyperlink: "http://münchen.de"

if exporting this document to pdf the hyperlink is saved as file url, in my case: file:///Users/sj/Downloads/http:%2F%2Fm%C3%BCnchen.de

Even if it is not allowed to use special unicode characters within the domain name (punycode should be used instead and so following url would be correct: http://xn--mnchen-3ya.de) the http scheme should not change to a file url exposing some internals of my file system.
Comment 1 Jean-Baptiste Faure 2013-10-28 05:26:25 UTC
Comment on attachment 88071 [details]
demo document with http hyperlink

Changed mime type
Comment 2 Jean-Baptiste Faure 2013-10-28 05:30:58 UTC
Reproducible with LO 4.0.6 and 4.1.4.0.0+ under Ubuntu 13.04 x86-64

Best regards. JBF
Comment 3 QA Administrators 2015-10-14 19:58:25 UTC Comment hidden (obsolete)
Comment 4 Jean-Baptiste Faure 2015-10-18 17:20:59 UTC
Still reproducible with version 5.0.4.0+ under Ubuntu 15.04 x86-64.

Added security keyword because this bug show private data about the file system of the machine where the pdf was generated.

Security/privacy problem -> severity level set to major

Best regards. JBF
Comment 5 Commit Notification 2015-10-29 13:04:16 UTC
Stephan Bergmann committed a patch related to this issue.
It has been pushed to "master":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=a346dfccd7e342d776dd59eb3ed128557e22a1bf

tdf#70833: IDNA support when exporing hyperlinks to PDF

It will be available in 5.1.0.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.