Menu

#1304 Disable project-specific external search commands by default

4.1
closed-fixed
Aaron Madlon-Kay
None
5
2017-03-16
2017-01-31
Aaron Madlon-Kay
No

External search items (URLs, commands) can be defined in two different "scopes": global (stored in the OmegaT config folder), and project (stored in the project omegat folder).

Upon loading a project, items from both scopes are merged, with project items overriding global items of the same name.

External search commands are arbitrary commands, executed with the full privileges of the user.

Project-specific external search commands are thus a potential attack vector: a maliciously crafted command can be supplied with a local or team project, and can even be designed to blend in by overriding benign global commands.

Thus we will by default disable project-specific external search commands. A checkbox is provided in Preferences > External Search to enable them.

Related

Feature Requests: #1300

Discussion

  • Aaron Madlon-Kay

    Aaron Madlon-Kay - 2017-01-31

    Implemented in trunk, r9570.

     

  • Didier Briel

    Didier Briel - 2017-03-16
    • status: open-fixed --> closed-fixed
     

  • Didier Briel

    Didier Briel - 2017-03-16

    Implemented in the released version 4.1.1 of OmegaT.

    Didier

     

    Last edit: Didier Briel 2017-03-16

Log in to post a comment.

MongoDB Logo MongoDB