Re: [xwiki-devs] [VOTE] Upgrade officeimporter to use JODConverter 3.0-beta-2 release and add support for auto-starting oo server

On Mon, Apr 27, 2009 at 8:35 PM, Niels Mayer &lt;nielsmayer(a)gmail.com&gt; wrote: the openoffice converter to output some embedded velocity that would then get called on every page view of the imported document? The last time I used the OOo converter, the resulting document presented with an empty creation- or modify- user field(bug?) and not the user that imported the document (e.g. "Creation by on Jan 27, 2009 17:58:17 GMT-08:00" in http://morgellonswiki.info/xwiki/bin/view/Sandbox/GLN_Int-J-Med-98#Informat…) If the document written with such an unexpected user field causes accidental invocation of $doc.saveWithProgrammingRights(), there would be an escalation of privilege issue that would allow destructive access to the database. Even with the document's creation/modify set correctly, a further potential scenario exists: ``Innocent-sounding user asks admin for help fixing imported document, admin "fixes" problem, but saves the document with programming rights (since he's admin). Now the previously disabled velocity hidden in the document starts working....'' In other words, it might be a good idea to take extraordinary "defensive programming <http://en.wikipedia.org/wiki/Defensive_programming>" measures to make sure $doc.saveWithProgrammingRights() can never be called on an imported document. Or generalizing further, that it shouldn't be called when an admin saves any document that wasn't previously saved with programming rights without a special notification indicating which other user's modifications you'd be trusting.... (¿Comments?) -- Niels http://nielsmayer.com