From 50fd5124e01e981186cbb0ad6bd547bfd0bdf4a8 Mon Sep 17 00:00:00 2001
From: eabdullin <ed.abdullin.1@gmail.com>
Date: Fri, 29 Mar 2024 14:27:04 +0300
Subject: [PATCH] - escape url passed to gstreamer - add some protocols that
 don't make sense as floating frame  targets - warn about exotic protocols as
 well - default to ignoring libreoffice special-purpose protocols  in calc
 hyperlink - reuse AllowedLinkProtocolFromDocument in writer - reuse
 AllowedLinkProtocolFromDocument in impress/draw - CVE-2023-6186 backporting

---
 SOURCES/0001-CVE-2022-38745.patch             |  93 ++
 ...-6185-escape-url-passed-to-gstreamer.patch |  69 ++
 ...ls-that-don-t-make-sense-as-floating.patch |  93 ++
 ...parameter-count-for-OR-AND-and-1-par.patch |  80 ++
 SOURCES/0001-disable-script-dump.patch        |  99 ++
 .../0001-set-Referer-on-loading-IFrames.patch |  93 ++
 ...-warn-about-exotic-protocols-as-well.patch |  87 ++
 ...ty-belt-before-fishing-in-muddy-wate.patch |  82 ++
 ...g-frames-under-managed-links-control.patch | 907 ++++++++++++++++++
 ...-a-result-even-if-it-s-only-an-error.patch |  50 +
 ...ing-libreoffice-special-purpose-prot.patch | 225 +++++
 ...me-script-macro-support-isn-t-needed.patch |  54 ++
 ...edLinkProtocolFromDocument-in-writer.patch | 281 ++++++
 ...kProtocolFromDocument-in-impress-dra.patch |  87 ++
 SOURCES/0006-CVE-2023-6186-backporting.patch  |  65 ++
 SPECS/libreoffice.spec                        |  71 +-
 16 files changed, 2422 insertions(+), 14 deletions(-)
 create mode 100644 SOURCES/0001-CVE-2022-38745.patch
 create mode 100644 SOURCES/0001-CVE-2023-6185-escape-url-passed-to-gstreamer.patch
 create mode 100644 SOURCES/0001-CVE-2023-6186-add-some-protocols-that-don-t-make-sense-as-floating.patch
 create mode 100644 SOURCES/0001-Obtain-actual-0-parameter-count-for-OR-AND-and-1-par.patch
 create mode 100644 SOURCES/0001-disable-script-dump.patch
 create mode 100644 SOURCES/0001-set-Referer-on-loading-IFrames.patch
 create mode 100644 SOURCES/0002-CVE-2023-6186-warn-about-exotic-protocols-as-well.patch
 create mode 100644 SOURCES/0002-Stack-check-safety-belt-before-fishing-in-muddy-wate.patch
 create mode 100644 SOURCES/0002-put-floating-frames-under-managed-links-control.patch
 create mode 100644 SOURCES/0003-Always-push-a-result-even-if-it-s-only-an-error.patch
 create mode 100644 SOURCES/0003-CVE-2023-6186-default-to-ignoring-libreoffice-special-purpose-prot.patch
 create mode 100644 SOURCES/0003-assume-IFrame-script-macro-support-isn-t-needed.patch
 create mode 100644 SOURCES/0004-CVE-2023-6186-reuse-AllowedLinkProtocolFromDocument-in-writer.patch
 create mode 100644 SOURCES/0005-CVE-2023-6186-reuse-AllowedLinkProtocolFromDocument-in-impress-dra.patch
 create mode 100644 SOURCES/0006-CVE-2023-6186-backporting.patch

diff --git a/SOURCES/0001-CVE-2022-38745.patch b/SOURCES/0001-CVE-2022-38745.patch
new file mode 100644
index 0000000..2f8d64d
--- /dev/null
+++ b/SOURCES/0001-CVE-2022-38745.patch
@@ -0,0 +1,93 @@
+From 36c5c16b7846ff31f403913ad5cdddf8b22fda43 Mon Sep 17 00:00:00 2001
+From: Stephan Bergmann <sbergman@redhat.com>
+Date: Mon, 21 Feb 2022 11:55:21 +0100
+Subject: [PATCH] Avoid unnecessary empty -Djava.class.path=
+
+Change-Id: Idcfe7321077b60381c0273910b1faeb444ef1fd8
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130242
+Tested-by: Jenkins
+Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
+---
+ .../plugins/sunmajor/pluginlib/sunjavaplugin.cxx | 16 +++++++++++++---
+ jvmfwk/source/framework.cxx                      |  8 ++++++--
+ jvmfwk/source/fwkbase.cxx                        |  3 +++
+ 3 files changed, 22 insertions(+), 5 deletions(-)
+
+diff --git a/jvmfwk/plugins/sunmajor/pluginlib/sunjavaplugin.cxx b/jvmfwk/plugins/sunmajor/pluginlib/sunjavaplugin.cxx
+index 4760ab6..ea133ea 100644
+--- a/jvmfwk/plugins/sunmajor/pluginlib/sunjavaplugin.cxx
++++ b/jvmfwk/plugins/sunmajor/pluginlib/sunjavaplugin.cxx
+@@ -687,17 +687,22 @@ javaPluginError jfw_plugin_startJavaVirtualMachine(
+     // all versions below 1.5.1
+     options.emplace_back("abort", reinterpret_cast<void*>(abort_handler));
+     bool hasStackSize = false;
++#ifdef UNX
++    // Until java 1.5 we need to put a plugin.jar or javaplugin.jar (<1.4.2)
++    // in the class path in order to have applet support:
++    OString sAddPath = getPluginJarPath(pInfo->sVendor, pInfo->sLocation,pInfo->sVersion);
++#endif
+     for (int i = 0; i < cOptions; i++)
+     {
+         OString opt(arOptions[i].optionString);
+ #ifdef UNX
+-        // Until java 1.5 we need to put a plugin.jar or javaplugin.jar (<1.4.2)
+-        // in the class path in order to have applet support:
+         if (opt.startsWith("-Djava.class.path="))
+         {
+-            OString sAddPath = getPluginJarPath(pInfo->sVendor, pInfo->sLocation,pInfo->sVersion);
+             if (!sAddPath.isEmpty())
++            {
+                 opt += OStringChar(SAL_PATHSEPARATOR) + sAddPath;
++                sAddPath.clear();
++            }
+         }
+ #endif
+         if (opt == "-Xint") {
+@@ -742,6 +747,11 @@ javaPluginError jfw_plugin_startJavaVirtualMachine(
+         }
+ #endif
+     }
++#ifdef UNX
++    if (!sAddPath.isEmpty()) {
++        options.emplace_back("-Djava.class.path=" + sAddPath, nullptr);
++    }
++#endif
+ 
+     std::unique_ptr<JavaVMOption[]> sarOptions(new JavaVMOption[options.size()]);
+     for (std::vector<Option>::size_type i = 0; i != options.size(); ++i) {
+diff --git a/jvmfwk/source/framework.cxx b/jvmfwk/source/framework.cxx
+index 3212030..f532ebd 100644
+--- a/jvmfwk/source/framework.cxx
++++ b/jvmfwk/source/framework.cxx
+@@ -210,8 +210,12 @@ javaFrameworkError jfw_startVM(
+                 //In direct mode the options are specified by bootstrap variables
+                 //of the form UNO_JAVA_JFW_PARAMETER_1 .. UNO_JAVA_JFW_PARAMETER_n
+                 vmParams = jfw::BootParams::getVMParameters();
+-                sUserClassPath =
+-                    "-Djava.class.path=" + jfw::BootParams::getClasspath();
++                auto const cp = jfw::BootParams::getClasspath();
++                if (!cp.isEmpty())
++                {
++                    sUserClassPath =
++                        "-Djava.class.path=" + cp;
++                }
+             }
+             else
+                 OSL_ASSERT(false);
+diff --git a/jvmfwk/source/fwkbase.cxx b/jvmfwk/source/fwkbase.cxx
+index ece4dd2..93c32a7 100644
+--- a/jvmfwk/source/fwkbase.cxx
++++ b/jvmfwk/source/fwkbase.cxx
+@@ -460,6 +460,9 @@ OString makeClassPathOption(OUString const & sUserClassPath)
+ 
+     sPaths = OUStringToOString(
+         sBufCP.makeStringAndClear(), osl_getThreadTextEncoding());
++    if (sPaths.isEmpty()) {
++        return "";
++    }
+ 
+     OString sOptionClassPath = "-Djava.class.path=" + sPaths;
+     return sOptionClassPath;
+-- 
+2.39.2
+
diff --git a/SOURCES/0001-CVE-2023-6185-escape-url-passed-to-gstreamer.patch b/SOURCES/0001-CVE-2023-6185-escape-url-passed-to-gstreamer.patch
new file mode 100644
index 0000000..9df483c
--- /dev/null
+++ b/SOURCES/0001-CVE-2023-6185-escape-url-passed-to-gstreamer.patch
@@ -0,0 +1,69 @@
+From 6167f5815aefa78a70517c8e2acbdd7b9c9be27d Mon Sep 17 00:00:00 2001
+Message-ID: <6167f5815aefa78a70517c8e2acbdd7b9c9be27d.1703003067.git.erack@redhat.com>
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolan.mcnamara@collabora.com>
+Date: Fri, 3 Nov 2023 14:20:07 +0000
+Subject: [PATCH] escape url passed to gstreamer
+MIME-Version: 1.0
+Content-Type: multipart/mixed; boundary="------------erAck-patch-parts"
+
+This is a multi-part message in MIME format.
+--------------erAck-patch-parts
+Content-Type: text/plain; charset=UTF-8; format=fixed
+Content-Transfer-Encoding: 8bit
+
+
+Change-Id: I3c93ee34800cc8563370f75ef3ef6f8a9220e6ec
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/158894
+Tested-by: Jenkins
+Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
+(cherry picked from commit f41dcadf6492a6ffd32696d50f818e44355b9ad9)
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159583
+
+erAck: backported to 7.1.8.1
+
+---
+ avmedia/source/gstreamer/gstframegrabber.cxx | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+
+--------------erAck-patch-parts
+Content-Type: text/x-patch; name="0001-escape-url-passed-to-gstreamer.patch"
+Content-Transfer-Encoding: 8bit
+Content-Disposition: attachment; filename="0001-escape-url-passed-to-gstreamer.patch"
+
+diff --git a/avmedia/source/gstreamer/gstframegrabber.cxx b/avmedia/source/gstreamer/gstframegrabber.cxx
+index ece799d87530..25170a296e66 100644
+--- a/avmedia/source/gstreamer/gstframegrabber.cxx
++++ b/avmedia/source/gstreamer/gstframegrabber.cxx
+@@ -51,11 +51,9 @@ void FrameGrabber::disposePipeline()
+ FrameGrabber::FrameGrabber( const OUString &rURL ) :
+     FrameGrabber_BASE()
+ {
+-    gchar *pPipelineStr;
+-    pPipelineStr = g_strdup_printf(
+-        "uridecodebin uri=%s ! videoconvert ! videoscale ! appsink "
+-        "name=sink caps=\"video/x-raw,format=RGB,pixel-aspect-ratio=1/1\"",
+-        OUStringToOString( rURL, RTL_TEXTENCODING_UTF8 ).getStr() );
++    const char pPipelineStr[] =
++        "uridecodebin name=source ! videoconvert ! videoscale ! appsink "
++        "name=sink caps=\"video/x-raw,format=RGB,pixel-aspect-ratio=1/1\"";
+ 
+     GError *pError = nullptr;
+     mpPipeline = gst_parse_launch( pPipelineStr, &pError );
+@@ -66,6 +64,12 @@ FrameGrabber::FrameGrabber( const OUString &rURL ) :
+     }
+ 
+     if( mpPipeline ) {
++
++        if (GstElement *pUriDecode = gst_bin_get_by_name(GST_BIN(mpPipeline), "source"))
++            g_object_set(pUriDecode, "uri", OUStringToOString(rURL, RTL_TEXTENCODING_UTF8).getStr(), nullptr);
++        else
++            g_warning("Missing 'source' element in gstreamer pipeline");
++
+         // pre-roll
+         switch( gst_element_set_state( mpPipeline, GST_STATE_PAUSED ) ) {
+         case GST_STATE_CHANGE_FAILURE:
+
+--------------erAck-patch-parts--
+
+
diff --git a/SOURCES/0001-CVE-2023-6186-add-some-protocols-that-don-t-make-sense-as-floating.patch b/SOURCES/0001-CVE-2023-6186-add-some-protocols-that-don-t-make-sense-as-floating.patch
new file mode 100644
index 0000000..22947a9
--- /dev/null
+++ b/SOURCES/0001-CVE-2023-6186-add-some-protocols-that-don-t-make-sense-as-floating.patch
@@ -0,0 +1,93 @@
+From 37d73a1ab94b43e03866d5a910cb58331543b8c3 Mon Sep 17 00:00:00 2001
+Message-ID: <37d73a1ab94b43e03866d5a910cb58331543b8c3.1703086247.git.erack@redhat.com>
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolan.mcnamara@collabora.com>
+Date: Fri, 3 Nov 2023 17:14:26 +0000
+Subject: [PATCH] add some protocols that don't make sense as floating frame
+ targets
+MIME-Version: 1.0
+Content-Type: multipart/mixed; boundary="------------erAck-patch-parts"
+
+This is a multi-part message in MIME format.
+--------------erAck-patch-parts
+Content-Type: text/plain; charset=UTF-8; format=fixed
+Content-Transfer-Encoding: 8bit
+
+
+Change-Id: Id900a5eef248731d1184c1df501a2cf7a2de7eb9
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/158910
+Tested-by: Jenkins
+Reviewed-by: Caolán McNamara <caolan.mcnamara@collabora.com>
+(cherry picked from commit 11ebdfef16501c6d35c3e3d0d62507f706557c71)
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/158900
+Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
+(cherry picked from commit bab433911bdecb344f7ea94dbd00690241a08c54)
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159582
+
+erAck: backported to 7.1.8.1
+
+---
+ include/tools/urlobj.hxx     | 5 +++++
+ sfx2/source/doc/iframe.cxx   | 5 ++++-
+ tools/source/fsys/urlobj.cxx | 8 ++++++++
+ 3 files changed, 17 insertions(+), 1 deletion(-)
+
+
+--------------erAck-patch-parts
+Content-Type: text/x-patch; name="0001-add-some-protocols-that-don-t-make-sense-as-floating.patch"
+Content-Transfer-Encoding: 8bit
+Content-Disposition: attachment; filename="0001-add-some-protocols-that-don-t-make-sense-as-floating.patch"
+
+diff --git a/include/tools/urlobj.hxx b/include/tools/urlobj.hxx
+index 9d6820ddf241..dfd658722826 100644
+--- a/include/tools/urlobj.hxx
++++ b/include/tools/urlobj.hxx
+@@ -915,6 +915,11 @@ public:
+ 
+     void changeScheme(INetProtocol eTargetScheme);
+ 
++    // INetProtocol::Macro, INetProtocol::Uno, INetProtocol::Slot,
++    // vnd.sun.star.script, etc. All the types of URLs which shouldn't
++    // be accepted from an outside controlled source
++    bool IsExoticProtocol() const;
++
+ private:
+     // General Structure:
+ 
+diff --git a/sfx2/source/doc/iframe.cxx b/sfx2/source/doc/iframe.cxx
+index 150218b436e9..b81ce82fd32e 100644
+--- a/sfx2/source/doc/iframe.cxx
++++ b/sfx2/source/doc/iframe.cxx
+@@ -168,8 +168,11 @@ sal_Bool SAL_CALL IFrameObject::load(
+         xTrans->parseStrict( aTargetURL );
+ 
+         INetURLObject aURLObject(aTargetURL.Complete);
+-        if (aURLObject.GetProtocol() == INetProtocol::Macro || aURLObject.isSchemeEqualTo(u"vnd.sun.star.script"))
++        if (aURLObject.IsExoticProtocol())
++        {
++            //SAL_WARN("sfx", "IFrameObject::load ignoring: " << aTargetURL.Complete);
+             return false;
++        }
+ 
+         uno::Reference<frame::XFramesSupplier> xParentFrame = xFrame->getCreator();
+         SfxObjectShell* pDoc = SfxMacroLoader::GetObjectShell(xParentFrame);
+diff --git a/tools/source/fsys/urlobj.cxx b/tools/source/fsys/urlobj.cxx
+index 764bb28ef623..2a9f7bc3d7dc 100644
+--- a/tools/source/fsys/urlobj.cxx
++++ b/tools/source/fsys/urlobj.cxx
+@@ -4829,4 +4829,12 @@ OUString INetURLObject::CutExtension()
+         ? aTheExtension : OUString();
+ }
+ 
++bool INetURLObject::IsExoticProtocol() const
++{
++    return m_eScheme == INetProtocol::Slot ||
++           m_eScheme == INetProtocol::Macro ||
++           m_eScheme == INetProtocol::Uno ||
++           isSchemeEqualTo(u"vnd.sun.star.script");
++}
++
+ /* vim:set shiftwidth=4 softtabstop=4 expandtab: */
+
+--------------erAck-patch-parts--
+
+
diff --git a/SOURCES/0001-Obtain-actual-0-parameter-count-for-OR-AND-and-1-par.patch b/SOURCES/0001-Obtain-actual-0-parameter-count-for-OR-AND-and-1-par.patch
new file mode 100644
index 0000000..b095c3f
--- /dev/null
+++ b/SOURCES/0001-Obtain-actual-0-parameter-count-for-OR-AND-and-1-par.patch
@@ -0,0 +1,80 @@
+From b66d735cf3dc8b80783cb161c0aff5b990db1bb0 Mon Sep 17 00:00:00 2001
+From: Eike Rathke <erack@redhat.com>
+Date: Thu, 16 Feb 2023 20:20:31 +0100
+Subject: [PATCH 1/3] Obtain actual 0-parameter count for OR(), AND() and
+ 1-parameter functions
+
+OR and AND for legacy infix notation are classified as binary
+operators but in fact are functions with parameter count. In case
+no argument is supplied, GetByte() returns 0 and for that case the
+implicit binary operator 2 parameters were wrongly assumed.
+Similar for functions expecting 1 parameter, without argument 1
+was assumed. For "real" unary and binary operators the compiler
+already checks parameters. Omit OR and AND and 1-parameter
+functions from this implicit assumption and return the actual 0
+count.
+
+Change-Id: Ie05398c112a98021ac2875cf7b6de994aee9d882
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/147173
+Reviewed-by: Eike Rathke <erack@redhat.com>
+Tested-by: Jenkins
+
+(cherry picked from commit e7ce9bddadb2db222eaa5f594ef1de2e36d57e5c)
+Conflicts:
+        sc/source/core/tool/interpr4.cxx
+---
+ formula/source/core/api/token.cxx | 13 +++++--------
+ sc/source/core/tool/interpr4.cxx  | 10 +++++++++-
+ 2 files changed, 14 insertions(+), 9 deletions(-)
+
+diff --git a/formula/source/core/api/token.cxx b/formula/source/core/api/token.cxx
+index 17594207234f..0db0c3464610 100644
+--- a/formula/source/core/api/token.cxx
++++ b/formula/source/core/api/token.cxx
+@@ -95,17 +95,14 @@ sal_uInt8 FormulaToken::GetParamCount() const
+         return 0;       // parameters and specials
+                         // ocIf... jump commands not for FAP, have cByte then
+ //2do: bool parameter whether FAP or not?
+-    else if ( GetByte() )
++    else if (GetByte())
+         return GetByte();   // all functions, also ocExternal and ocMacro
+-    else if (SC_OPCODE_START_BIN_OP <= eOp && eOp < SC_OPCODE_STOP_BIN_OP)
+-        return 2;           // binary
+-    else if ((SC_OPCODE_START_UN_OP <= eOp && eOp < SC_OPCODE_STOP_UN_OP)
+-            || eOp == ocPercentSign)
+-        return 1;           // unary
++    else if (SC_OPCODE_START_BIN_OP <= eOp && eOp < SC_OPCODE_STOP_BIN_OP && eOp != ocAnd && eOp != ocOr)
++        return 2;           // binary operators, compiler checked; OR and AND legacy but are functions
++    else if ((SC_OPCODE_START_UN_OP <= eOp && eOp < SC_OPCODE_STOP_UN_OP) || eOp == ocPercentSign)
++        return 1;           // unary operators, compiler checked
+     else if (SC_OPCODE_START_NO_PAR <= eOp && eOp < SC_OPCODE_STOP_NO_PAR)
+         return 0;           // no parameter
+-    else if (SC_OPCODE_START_1_PAR <= eOp && eOp < SC_OPCODE_STOP_1_PAR)
+-        return 1;           // one parameter
+     else if (FormulaCompiler::IsOpCodeJumpCommand( eOp ))
+         return 1;           // only the condition counts as parameter
+     else
+diff --git a/sc/source/core/tool/interpr4.cxx b/sc/source/core/tool/interpr4.cxx
+index eb3fb987c034..94235c33eaef 100644
+--- a/sc/source/core/tool/interpr4.cxx
++++ b/sc/source/core/tool/interpr4.cxx
+@@ -4012,7 +4012,15 @@ StackVar ScInterpreter::Interpret()
+                 else if (sp >= pCur->GetParamCount())
+                     nStackBase = sp - pCur->GetParamCount();
+                 else
+-                    nStackBase = sp;    // underflow?!?
++                {
++                    SAL_WARN("sc.core", "Stack anomaly at " << aPos.Format(
++                                ScRefFlags::VALID | ScRefFlags::FORCE_DOC | ScRefFlags::TAB_3D, pDok)
++                            << "  eOp: " << static_cast<int>(eOp)
++                            << "  params: " << static_cast<int>(pCur->GetParamCount())
++                            << "  nStackBase: " << nStackBase << "  sp: " << sp);
++                    nStackBase = sp;
++                    assert(!"underflow");
++                }
+             }
+ 
+             switch( eOp )
+-- 
+2.41.0
+
diff --git a/SOURCES/0001-disable-script-dump.patch b/SOURCES/0001-disable-script-dump.patch
new file mode 100644
index 0000000..fe8cf63
--- /dev/null
+++ b/SOURCES/0001-disable-script-dump.patch
@@ -0,0 +1,99 @@
+From ff68c22161071ce89851c6d81e80ba51b67e8e0c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
+Date: Mon, 13 Feb 2023 13:56:10 +0000
+Subject: [PATCH] disable script dump
+
+Change-Id: I04d740cc0fcf87daa192a0a6af34138278043a19
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/146986
+Tested-by: Jenkins
+Reviewed-by: Thorsten Behrens <thorsten.behrens@allotropia.de>
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/147051
+Tested-by: Thorsten Behrens <thorsten.behrens@allotropia.de>
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/147255
+Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
+Reviewed-by: Andras Timar <andras.timar@collabora.com>
+(cherry picked from commit ae3a7dcbb60bb73700737b9ca8940ce3103648d9)
+---
+ .../source/drivers/hsqldb/HDriver.cxx         | 31 +++++++++++++++++++
+ external/hsqldb/UnpackedTarball_hsqldb.mk     |  1 +
+ .../hsqldb/patches/disable-dump-script.patch  | 14 +++++++++
+ 3 files changed, 46 insertions(+)
+ create mode 100644 external/hsqldb/patches/disable-dump-script.patch
+
+diff --git a/connectivity/source/drivers/hsqldb/HDriver.cxx b/connectivity/source/drivers/hsqldb/HDriver.cxx
+index de76ecbba29de..95c610843efab 100644
+--- a/connectivity/source/drivers/hsqldb/HDriver.cxx
++++ b/connectivity/source/drivers/hsqldb/HDriver.cxx
+@@ -300,6 +300,37 @@ namespace connectivity
+                         } // if ( xStream.is() )
+                         ::comphelper::disposeComponent(xStream);
+                     }
++
++                    // disallow any database/script files that contain a "SCRIPT[.*]" entry (this is belt and braces
++                    // in that bundled hsqldb 1.8.0 is patched to also reject them)
++                    //
++                    // hsqldb 2.6.0 release notes have: added system role SCRIPT_OPS for export / import of database structure and data
++                    // which seems to provide a builtin way to do this with contemporary hsqldb
++                    const OUString sScript( "script" );
++                    if (!bIsNewDatabase && xStorage->isStreamElement(sScript))
++                    {
++                        Reference<XStream > xStream = xStorage->openStreamElement(sScript, ElementModes::READ);
++                        if (xStream.is())
++                        {
++                            std::unique_ptr<SvStream> pStream(::utl::UcbStreamHelper::CreateStream(xStream));
++                            if (pStream)
++                            {
++                                OString sLine;
++                                while (pStream->ReadLine(sLine))
++                                {
++                                    OString sText = sLine.trim();
++                                    if (sText.startsWithIgnoreAsciiCase("SCRIPT"))
++                                    {
++                                        ::connectivity::SharedResources aResources;
++                                        sMessage = aResources.getResourceString(STR_COULD_NOT_LOAD_FILE).replaceFirst("$filename$", sSystemPath);
++                                        break;
++                                    }
++                                }
++                            }
++                        } // if ( xStream.is() )
++                        ::comphelper::disposeComponent(xStream);
++                    }
++
+                 }
+                 catch(Exception&)
+                 {
+diff --git a/external/hsqldb/UnpackedTarball_hsqldb.mk b/external/hsqldb/UnpackedTarball_hsqldb.mk
+index cbba770f19a07..ed262cccf4caa 100644
+--- a/external/hsqldb/UnpackedTarball_hsqldb.mk
++++ b/external/hsqldb/UnpackedTarball_hsqldb.mk
+@@ -29,6 +29,7 @@ $(eval $(call gb_UnpackedTarball_add_patches,hsqldb,\
+ 		external/hsqldb/patches/jdbc-4.1.patch \
+ 		external/hsqldb/patches/multipleResultSets.patch \
+ 	) \
++	external/hsqldb/patches/disable-dump-script.patch \
+ ))
+ 
+ # vim: set noet sw=4 ts=4:
+diff --git a/external/hsqldb/patches/disable-dump-script.patch b/external/hsqldb/patches/disable-dump-script.patch
+new file mode 100644
+index 0000000000000..401dd38abc9a2
+--- /dev/null
++++ b/external/hsqldb/patches/disable-dump-script.patch
+@@ -0,0 +1,14 @@
++--- a/hsqldb/src/org/hsqldb/DatabaseCommandInterpreter.java	2023-02-13 11:08:11.297243034 +0000
+++++ b/hsqldb/src/org/hsqldb/DatabaseCommandInterpreter.java	2023-02-13 13:49:17.973089433 +0000
++@@ -403,6 +403,11 @@
++                     throw Trace.error(Trace.INVALID_IDENTIFIER);
++                 }
++ 
+++                // added condition to avoid execution of spurious command in .script or .log file
+++                if (session.isProcessingScript() || session.isProcessingLog()) {
+++                    return new Result(ResultConstants.UPDATECOUNT);
+++                }
+++
++                 dsw = new ScriptWriterText(database, token, true, true, true);
++ 
++                 dsw.writeAll();
+-- 
+2.41.0
+
diff --git a/SOURCES/0001-set-Referer-on-loading-IFrames.patch b/SOURCES/0001-set-Referer-on-loading-IFrames.patch
new file mode 100644
index 0000000..bb8633c
--- /dev/null
+++ b/SOURCES/0001-set-Referer-on-loading-IFrames.patch
@@ -0,0 +1,93 @@
+From a7bc0ab5215734cb2bd4162cb5cdcc69fef23ef4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
+Date: Tue, 11 Apr 2023 10:13:37 +0100
+Subject: [PATCH 1/3] set Referer on loading IFrames
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+so tools, options, security, options,
+"block any links from document not..."
+applies to their contents.
+
+Change-Id: I04839aea6b07a4a76ac147a85045939ccd9c3c79
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/150221
+Tested-by: Jenkins
+Reviewed-by: Caolán McNamara <caolanm@redhat.com>
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/150751
+Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
+(cherry picked from commit acff9ca0579333b45d10ae5f8cd48172f563dddd)
+(cherry picked from commit 04c8176fb40d2eb983aa0bd0a6ce65804d3f6ecd)
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/152094
+Tested-by: Caolán McNamara <caolan.mcnamara@collabora.com>
+Reviewed-by: Caolán McNamara <caolan.mcnamara@collabora.com>
+
+(cherry picked from commit 789155b523b384df020d86228ac200a63a68b154)
+Conflicts:
+	sfx2/source/doc/iframe.cxx
+---
+ sfx2/source/doc/iframe.cxx | 22 ++++++++++++++--------
+ 1 file changed, 14 insertions(+), 8 deletions(-)
+
+diff --git a/sfx2/source/doc/iframe.cxx b/sfx2/source/doc/iframe.cxx
+index b5291b239164b..5a0ea96a234da 100644
+--- a/sfx2/source/doc/iframe.cxx
++++ b/sfx2/source/doc/iframe.cxx
+@@ -32,12 +32,14 @@
+ #include <com/sun/star/ui/dialogs/XExecutableDialog.hpp>
+ #include <com/sun/star/embed/XEmbeddedObject.hpp>
+ 
++#include <comphelper/propertyvalue.hxx>
+ #include <cppuhelper/implbase.hxx>
+ #include <cppuhelper/supportsservice.hxx>
+ #include <rtl/ref.hxx>
+ #include <svtools/miscopt.hxx>
+ #include <svl/ownlist.hxx>
+ #include <svl/itemprop.hxx>
++#include <sfx2/docfile.hxx>
+ #include <sfx2/frmdescr.hxx>
+ #include <sfx2/objsh.hxx>
+ #include <sfx2/sfxdlg.hxx>
+@@ -166,14 +168,19 @@ sal_Bool SAL_CALL IFrameObject::load(
+         uno::Reference < util::XURLTransformer > xTrans( util::URLTransformer::create( mxContext ) );
+         xTrans->parseStrict( aTargetURL );
+ 
++        uno::Reference<frame::XFramesSupplier> xParentFrame = xFrame->getCreator();
++        SfxObjectShell* pDoc = SfxMacroLoader::GetObjectShell(xParentFrame);
++
+         if (INetURLObject(aTargetURL.Complete).GetProtocol() == INetProtocol::Macro)
+         {
+-            uno::Reference<frame::XFramesSupplier> xParentFrame = xFrame->getCreator();
+-            SfxObjectShell* pDoc = SfxMacroLoader::GetObjectShell(xParentFrame);
+             if (pDoc && !pDoc->AdjustMacroMode())
+                 return false;
+         }
+ 
++        OUString sReferer;
++        if (pDoc && pDoc->HasName())
++            sReferer = pDoc->GetMedium()->GetName();
++
+         DBG_ASSERT( !mxFrame.is(), "Frame already existing!" );
+         VclPtr<vcl::Window> pParent = VCLUnoHelper::GetWindow( xFrame->getContainerWindow() );
+         VclPtr<IFrameWindow_Impl> pWin = VclPtr<IFrameWindow_Impl>::Create( pParent, maFrmDescr.IsFrameBorderOn() );
+@@ -196,12 +203,11 @@ sal_Bool SAL_CALL IFrameObject::load(
+         if ( xFramesSupplier.is() )
+             mxFrame->setCreator( xFramesSupplier );
+ 
+-        uno::Sequence < beans::PropertyValue > aProps(2);
+-        aProps[0].Name = "PluginMode";
+-        aProps[0].Value <<= sal_Int16(2);
+-        aProps[1].Name = "ReadOnly";
+-        aProps[1].Value <<= true;
+-
++        uno::Sequence < beans::PropertyValue > aProps{
++            comphelper::makePropertyValue("PluginMode", sal_Int16(2)),
++            comphelper::makePropertyValue("ReadOnly", true),
++            comphelper::makePropertyValue("Referer", sReferer)
++        };
+         uno::Reference < frame::XDispatch > xDisp = mxFrame->queryDispatch( aTargetURL, "_self", 0 );
+         if ( xDisp.is() )
+             xDisp->dispatch( aTargetURL, aProps );
+-- 
+2.41.0
+
diff --git a/SOURCES/0002-CVE-2023-6186-warn-about-exotic-protocols-as-well.patch b/SOURCES/0002-CVE-2023-6186-warn-about-exotic-protocols-as-well.patch
new file mode 100644
index 0000000..e7aca7f
--- /dev/null
+++ b/SOURCES/0002-CVE-2023-6186-warn-about-exotic-protocols-as-well.patch
@@ -0,0 +1,87 @@
+From 99b453dfac5ed44a02c6e1a51b871ee50709a405 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolan.mcnamara@collabora.com>
+Date: Sat, 4 Nov 2023 19:57:51 +0000
+Subject: [PATCH] warn about exotic protocols as well
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Change-Id: I50dcf4f36cd20d75f5ad3876353143268740a50f
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/151834
+Tested-by: Jenkins
+Reviewed-by: Caolán McNamara <caolan.mcnamara@collabora.com>
+(cherry picked from commit 1305f70cff8a81a58a5a6d9c96c5bb032005389e)
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159034
+Reviewed-by: Eike Rathke <erack@redhat.com>
+Signed-off-by: Xisco Fauli <xiscofauli@libreoffice.org>
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159881
+Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
+Signed-off-by: Xisco Fauli <xiscofauli@libreoffice.org>
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159911
+Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
+
+erAck: backported to 6.4.7.2
+
+---
+ sw/source/filter/html/htmlplug.cxx | 2 +-
+ sw/source/filter/xml/xmltexti.cxx  | 2 +-
+ tools/source/fsys/urlobj.cxx       | 3 ++-
+ xmloff/source/draw/ximpshap.cxx    | 2 +-
+ 4 files changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/sw/source/filter/html/htmlplug.cxx b/sw/source/filter/html/htmlplug.cxx
+index eb70704..112975f 100644
+--- a/sw/source/filter/html/htmlplug.cxx
++++ b/sw/source/filter/html/htmlplug.cxx
+@@ -1089,7 +1089,7 @@ void SwHTMLParser::InsertFloatingFrame()
+ 
+                 OUString sHRef = aFrameDesc.GetURL().GetMainURL( INetURLObject::DecodeMechanism::NONE );
+ 
+-                if (INetURLObject(sHRef).GetProtocol() == INetProtocol::Macro)
++                if (INetURLObject(sHRef).IsExoticProtocol())
+                     NotifyMacroEventRead();
+ 
+                 xSet->setPropertyValue("FrameURL", uno::makeAny( sHRef ) );
+diff --git a/sw/source/filter/xml/xmltexti.cxx b/sw/source/filter/xml/xmltexti.cxx
+index 72a14b9..e015575 100644
+--- a/sw/source/filter/xml/xmltexti.cxx
++++ b/sw/source/filter/xml/xmltexti.cxx
+@@ -856,7 +856,7 @@ uno::Reference< XPropertySet > SwXMLTextImportHelper::createAndInsertFloatingFra
+                 OUString sHRef = URIHelper::SmartRel2Abs(
+                             INetURLObject( GetXMLImport().GetBaseURL() ), rHRef );
+ 
+-                if (INetURLObject(sHRef).GetProtocol() == INetProtocol::Macro)
++                if (INetURLObject(sHRef).IsExoticProtocol())
+                     GetXMLImport().NotifyMacroEventRead();
+ 
+                 xSet->setPropertyValue("FrameURL",
+diff --git a/tools/source/fsys/urlobj.cxx b/tools/source/fsys/urlobj.cxx
+index ab6e885..1ef2b7e 100644
+--- a/tools/source/fsys/urlobj.cxx
++++ b/tools/source/fsys/urlobj.cxx
+@@ -4776,7 +4776,8 @@ bool INetURLObject::IsExoticProtocol() const
+     return m_eScheme == INetProtocol::Slot ||
+            m_eScheme == INetProtocol::Macro ||
+            m_eScheme == INetProtocol::Uno ||
+-           isSchemeEqualTo(u"vnd.sun.star.script");
++           isSchemeEqualTo(u"vnd.sun.star.script") ||
++           isSchemeEqualTo(u"service");
+ }
+ 
+ /* vim:set shiftwidth=4 softtabstop=4 expandtab: */
+diff --git a/xmloff/source/draw/ximpshap.cxx b/xmloff/source/draw/ximpshap.cxx
+index bd5f30a..b58da79 100644
+--- a/xmloff/source/draw/ximpshap.cxx
++++ b/xmloff/source/draw/ximpshap.cxx
+@@ -3269,7 +3269,7 @@ void SdXMLFloatingFrameShapeContext::StartElement( const css::uno::Reference< cs
+ 
+             if( !maHref.isEmpty() )
+             {
+-                if (INetURLObject(maHref).GetProtocol() == INetProtocol::Macro)
++                if (INetURLObject(maHref).IsExoticProtocol())
+                     GetImport().NotifyMacroEventRead();
+ 
+                 xProps->setPropertyValue("FrameURL", Any(maHref) );
+-- 
+2.43.0
+
diff --git a/SOURCES/0002-Stack-check-safety-belt-before-fishing-in-muddy-wate.patch b/SOURCES/0002-Stack-check-safety-belt-before-fishing-in-muddy-wate.patch
new file mode 100644
index 0000000..5bede1a
--- /dev/null
+++ b/SOURCES/0002-Stack-check-safety-belt-before-fishing-in-muddy-wate.patch
@@ -0,0 +1,82 @@
+From c0e926365dc7651dcb5eee48f50e6990523662ad Mon Sep 17 00:00:00 2001
+From: Eike Rathke <erack@redhat.com>
+Date: Fri, 17 Feb 2023 12:03:54 +0100
+Subject: [PATCH 2/3] Stack check safety belt before fishing in muddy waters
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Have it hit hard in debug builds.
+
+Change-Id: I9ea54844a0661fd7a75616a2876983a74b2d5bad
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/147205
+Reviewed-by: Eike Rathke <erack@redhat.com>
+Tested-by: Jenkins
+(cherry picked from commit 9d91fbba6f374fa1c10b38eae003da89bd4e6d4b)
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/147245
+Reviewed-by: Caolán McNamara <caolanm@redhat.com>
+(cherry picked from commit 166a07062dd4ffedca6106f439a6fcddaeee5eb5)
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/147391
+Tested-by: Michael Stahl <michael.stahl@allotropia.de>
+Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
+(cherry picked from commit f8efb098f2abbf054a15dcf7daaaacfa575685ae)
+---
+ sc/source/core/inc/interpre.hxx  | 12 ++++++++++++
+ sc/source/core/tool/interpr1.cxx |  4 ++--
+ 2 files changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/sc/source/core/inc/interpre.hxx b/sc/source/core/inc/interpre.hxx
+index 3b902524d901..c7d4527dbf57 100644
+--- a/sc/source/core/inc/interpre.hxx
++++ b/sc/source/core/inc/interpre.hxx
+@@ -235,6 +235,7 @@ private:
+     inline bool MustHaveParamCount( short nAct, short nMust );
+     inline bool MustHaveParamCount( short nAct, short nMust, short nMax );
+     inline bool MustHaveParamCountMin( short nAct, short nMin );
++    inline bool MustHaveParamCountMinWithStackCheck( short nAct, short nMin );
+     void PushParameterExpected();
+     void PushIllegalParameter();
+     void PushIllegalArgument();
+@@ -1086,6 +1087,17 @@ inline bool ScInterpreter::MustHaveParamCountMin( short nAct, short nMin )
+     return false;
+ }
+ 
++inline bool ScInterpreter::MustHaveParamCountMinWithStackCheck( short nAct, short nMin )
++{
++    assert(sp >= nAct);
++    if (sp < nAct)
++    {
++        PushParameterExpected();
++        return false;
++    }
++    return MustHaveParamCountMin( nAct, nMin);
++}
++
+ inline bool ScInterpreter::CheckStringPositionArgument( double & fVal )
+ {
+     if (!rtl::math::isFinite( fVal))
+diff --git a/sc/source/core/tool/interpr1.cxx b/sc/source/core/tool/interpr1.cxx
+index e375f1626ec5..4b093cb62d4f 100644
+--- a/sc/source/core/tool/interpr1.cxx
++++ b/sc/source/core/tool/interpr1.cxx
+@@ -7524,7 +7524,7 @@ void ScInterpreter::ScVLookup()
+ void ScInterpreter::ScSubTotal()
+ {
+     sal_uInt8 nParamCount = GetByte();
+-    if ( MustHaveParamCountMin( nParamCount, 2 ) )
++    if ( MustHaveParamCountMinWithStackCheck( nParamCount, 2 ) )
+     {
+         // We must fish the 1st parameter deep from the stack! And push it on top.
+         const FormulaToken* p = pStack[ sp - nParamCount ];
+@@ -7571,7 +7571,7 @@ void ScInterpreter::ScSubTotal()
+ void ScInterpreter::ScAggregate()
+ {
+     sal_uInt8 nParamCount = GetByte();
+-    if ( MustHaveParamCountMin( nParamCount, 3 ) )
++    if ( MustHaveParamCountMinWithStackCheck( nParamCount, 3 ) )
+     {
+         // fish the 1st parameter from the stack and push it on top.
+         const FormulaToken* p = pStack[ sp - nParamCount ];
+-- 
+2.41.0
+
diff --git a/SOURCES/0002-put-floating-frames-under-managed-links-control.patch b/SOURCES/0002-put-floating-frames-under-managed-links-control.patch
new file mode 100644
index 0000000..7039c81
--- /dev/null
+++ b/SOURCES/0002-put-floating-frames-under-managed-links-control.patch
@@ -0,0 +1,907 @@
+From 0ea515e760325b3d9f33824e917d0d549f4509e4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
+Date: Thu, 13 Apr 2023 11:31:17 +0100
+Subject: [PATCH 2/3] put floating frames under managed links control
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+like we do for sections and ole objects that link to their content
+
+individual commits in trunk are:
+
+extract a OCommonEmbeddedObject::SetInplaceActiveState for reuse
+
+no behaviour change intended
+
+Change-Id: Ia1d12aa5c9afdc1347f6d4364bc6a0b7f41ee168
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/150341
+Tested-by: Caolán McNamara <caolanm@redhat.com>
+Reviewed-by: Caolán McNamara <caolanm@redhat.com>
+(cherry picked from commit 183e34a3f8c429c0698951e24c17844e416a3825)
+
+use parent window as dialog parent
+
+it makes no odds, but is more convenient for upcoming modification
+
+Change-Id: Ibc5333b137d2da089b3b701ff615c6ddf43063d0
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/150342
+Tested-by: Caolán McNamara <caolanm@redhat.com>
+Reviewed-by: Caolán McNamara <caolanm@redhat.com>
+(cherry picked from commit f93edf343658abd489bde3639d2ffaefd50c0f99)
+
+adjust IFrameObject so it could reuse mxFrame for a reload of content
+
+Change-Id: I7eec3132a23faafd9a2878215a0a117a67bc9bf2
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/150343
+Tested-by: Caolán McNamara <caolanm@redhat.com>
+Reviewed-by: Caolán McNamara <caolanm@redhat.com>
+(cherry picked from commit 3a727d26fd9eb6fa140bc3f5cadf3db079d42206)
+
+query getUserAllowsLinkUpdate for the case of content in a floating frame
+
+similarly to how it works for the more common "normal" embedded objects
+
+Change-Id: I83e38dfa2f84907c2de9680e91f779d34864a9ad
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/149971
+Tested-by: Jenkins
+Reviewed-by: Caolán McNamara <caolanm@redhat.com>
+(cherry picked from commit 52aa46468531918eabfa2031dedf50377ae72cf7)
+
+add a route to get writer Floating Frame links under 'manage links'
+
+Change-Id: If90ff71d6a96342574799312f764badaf97980eb
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/150349
+Tested-by: Jenkins
+Reviewed-by: Caolán McNamara <caolanm@redhat.com>
+(cherry picked from commit 8b8a2844addbd262befb1a2d193dfb590dfa20be)
+
+allow SvxOle2Shape::resetModifiedState to survive having no SdrObject
+
+Change-Id: Iea059262c124e3f44249e49b4189732310d28156
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/150538
+Tested-by: Jenkins
+Reviewed-by: Caolán McNamara <caolanm@redhat.com>
+(cherry picked from commit 02379929bd0e1d1676635f0ca1920422702ebb7c)
+
+create the FloatingFrameShape in a separate step to inserting it
+
+this is derived from the path taken by the AddShape(const OUString&)
+function for this case. No change in behavior is intended.
+
+Change-Id: Id09ae0c65a55a37743ad7c184070fb8dd97d8a7f
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/150526
+Tested-by: Jenkins
+Reviewed-by: Caolán McNamara <caolanm@redhat.com>
+(cherry picked from commit bafec47847a0b9697b3bbe9358e53f8118af3024)
+
+add a route to get calc Floating Frame links under 'manage links'
+
+much harder than writer because the organization and ordering
+of properties and object activation etc is different.
+
+This ended up ugly, but functions.
+
+We set FrameURL before AddShape, we have to do it again later because it
+gets cleared when the SdrOle2Obj is attached to the XShape.  But we want
+FrameURL to exist when AddShape triggers SetPersistName which itself
+triggers SdrOle2Obj::CheckFileLink_Impl and at that point we want to
+know what URL will end up being used. So bodge this by setting FrameURL
+to the temp pre-SdrOle2Obj attached properties and we can smuggle it
+eventually into SdrOle2Obj::SetPersistName at the right point after
+PersistName is set but before SdrOle2Obj::CheckFileLink_Impl is called
+in order to inform the link manager that this is an IFrame that links to
+a URL
+
+Change-Id: I67fc199fef9e67fa12ca7873f0fe12137aa16d8f
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/150539
+Tested-by: Jenkins
+Reviewed-by: Caolán McNamara <caolanm@redhat.com>
+(cherry picked from commit 07179a5a5bd00f34acfa8a3f260dd834ae003c63)
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/150755
+Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
+(cherry picked from commit b91ea614c0b753ab3d378acd0e2db8262e9dbd72)
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/151107
+Reviewed-by: Xisco Fauli <xiscofauli@libreoffice.org>
+Tested-by: Christian Lohmaier <lohmaier+LibreOffice@googlemail.com>
+Reviewed-by: Christian Lohmaier <lohmaier+LibreOffice@googlemail.com>
+
+(cherry picked from commit 8b35b17ffaab23d72ddec2d9f41be0e30fcaa6c4)
+Conflicts:
+	embeddedobj/source/commonembedding/specialobject.cxx
+	embeddedobj/source/inc/specialobject.hxx
+	include/svx/svdoole2.hxx
+	sfx2/source/doc/iframe.cxx
+	svx/source/svdraw/svdoole2.cxx
+	sw/source/core/ole/ndole.cxx
+	xmloff/source/draw/ximpshap.cxx
+---
+ .../source/commonembedding/embedobj.cxx       |  60 +++++-----
+ .../source/commonembedding/specialobject.cxx  |   9 ++
+ embeddedobj/source/inc/commonembobj.hxx       |   3 +
+ embeddedobj/source/inc/specialobject.hxx      |   6 +
+ include/svx/svdoole2.hxx                      |  17 ++-
+ include/svx/unoshape.hxx                      |   2 +
+ sc/source/ui/docshell/documentlinkmgr.cxx     |   9 +-
+ sfx2/source/doc/iframe.cxx                    |  55 +++++----
+ svx/source/svdraw/svdoole2.cxx                | 104 ++++++++++++++----
+ svx/source/unodraw/shapeimpl.hxx              |   5 +
+ svx/source/unodraw/unoshap4.cxx               |  23 +++-
+ sw/inc/ndole.hxx                              |   4 +-
+ sw/source/core/ole/ndole.cxx                  |  89 ++++++++++++--
+ xmloff/source/draw/ximpshap.cxx               |  29 ++++-
+ xmloff/source/draw/ximpshap.hxx               |   2 +
+ 15 files changed, 335 insertions(+), 90 deletions(-)
+
+diff --git a/embeddedobj/source/commonembedding/embedobj.cxx b/embeddedobj/source/commonembedding/embedobj.cxx
+index e6e5bec2a3160..b402dff22042a 100644
+--- a/embeddedobj/source/commonembedding/embedobj.cxx
++++ b/embeddedobj/source/commonembedding/embedobj.cxx
+@@ -155,6 +155,37 @@ void OCommonEmbeddedObject::StateChangeNotification_Impl( bool bBeforeChange, sa
+     }
+ }
+ 
++void OCommonEmbeddedObject::SetInplaceActiveState()
++{
++    if ( !m_xClientSite.is() )
++        throw embed::WrongStateException( "client site not set, yet", *this );
++
++    uno::Reference< embed::XInplaceClient > xInplaceClient( m_xClientSite, uno::UNO_QUERY );
++    if ( !xInplaceClient.is() || !xInplaceClient->canInplaceActivate() )
++        throw embed::WrongStateException(); //TODO: can't activate inplace
++    xInplaceClient->activatingInplace();
++
++    uno::Reference< embed::XWindowSupplier > xClientWindowSupplier( xInplaceClient, uno::UNO_QUERY_THROW );
++
++    m_xClientWindow = xClientWindowSupplier->getWindow();
++    m_aOwnRectangle = xInplaceClient->getPlacement();
++    m_aClipRectangle = xInplaceClient->getClipRectangle();
++    awt::Rectangle aRectangleToShow = GetRectangleInterception( m_aOwnRectangle, m_aClipRectangle );
++
++    // create own window based on the client window
++    // place and resize the window according to the rectangles
++    uno::Reference< awt::XWindowPeer > xClientWindowPeer( m_xClientWindow, uno::UNO_QUERY_THROW );
++
++    // dispatch provider may not be provided
++    uno::Reference< frame::XDispatchProvider > xContainerDP = xInplaceClient->getInplaceDispatchProvider();
++    bool bOk = m_xDocHolder->ShowInplace( xClientWindowPeer, aRectangleToShow, xContainerDP );
++    m_nObjectState = embed::EmbedStates::INPLACE_ACTIVE;
++    if ( !bOk )
++    {
++        SwitchStateTo_Impl( embed::EmbedStates::RUNNING );
++        throw embed::WrongStateException(); //TODO: can't activate inplace
++    }
++}
+ 
+ void OCommonEmbeddedObject::SwitchStateTo_Impl( sal_Int32 nNextState )
+ {
+@@ -228,34 +259,7 @@ void OCommonEmbeddedObject::SwitchStateTo_Impl( sal_Int32 nNextState )
+         {
+             if ( nNextState == embed::EmbedStates::INPLACE_ACTIVE )
+             {
+-                if ( !m_xClientSite.is() )
+-                    throw embed::WrongStateException( "client site not set, yet", *this );
+-
+-                uno::Reference< embed::XInplaceClient > xInplaceClient( m_xClientSite, uno::UNO_QUERY );
+-                if ( !xInplaceClient.is() || !xInplaceClient->canInplaceActivate() )
+-                    throw embed::WrongStateException(); //TODO: can't activate inplace
+-                xInplaceClient->activatingInplace();
+-
+-                uno::Reference< embed::XWindowSupplier > xClientWindowSupplier( xInplaceClient, uno::UNO_QUERY_THROW );
+-
+-                m_xClientWindow = xClientWindowSupplier->getWindow();
+-                m_aOwnRectangle = xInplaceClient->getPlacement();
+-                m_aClipRectangle = xInplaceClient->getClipRectangle();
+-                awt::Rectangle aRectangleToShow = GetRectangleInterception( m_aOwnRectangle, m_aClipRectangle );
+-
+-                // create own window based on the client window
+-                // place and resize the window according to the rectangles
+-                uno::Reference< awt::XWindowPeer > xClientWindowPeer( m_xClientWindow, uno::UNO_QUERY_THROW );
+-
+-                // dispatch provider may not be provided
+-                uno::Reference< frame::XDispatchProvider > xContainerDP = xInplaceClient->getInplaceDispatchProvider();
+-                bool bOk = m_xDocHolder->ShowInplace( xClientWindowPeer, aRectangleToShow, xContainerDP );
+-                m_nObjectState = nNextState;
+-                if ( !bOk )
+-                {
+-                    SwitchStateTo_Impl( embed::EmbedStates::RUNNING );
+-                    throw embed::WrongStateException(); //TODO: can't activate inplace
+-                }
++                SetInplaceActiveState();
+             }
+             else if ( nNextState == embed::EmbedStates::ACTIVE )
+             {
+diff --git a/embeddedobj/source/commonembedding/specialobject.cxx b/embeddedobj/source/commonembedding/specialobject.cxx
+index 683fe0aab3f25..c17a39accf2c7 100644
+--- a/embeddedobj/source/commonembedding/specialobject.cxx
++++ b/embeddedobj/source/commonembedding/specialobject.cxx
+@@ -47,6 +47,7 @@ uno::Any SAL_CALL OSpecialEmbeddedObject::queryInterface( const uno::Type& rType
+     uno::Any aReturn = ::cppu::queryInterface( rType,
+                                         static_cast< embed::XEmbeddedObject* >( this ),
+                                         static_cast< embed::XInplaceObject* >( this ),
++                                        static_cast< embed::XCommonEmbedPersist* >( static_cast< embed::XEmbedPersist* >( this ) ),
+                                         static_cast< embed::XVisualObject* >( this ),
+                                         static_cast< embed::XClassifiedObject* >( this ),
+                                         static_cast< embed::XComponentSupplier* >( this ),
+@@ -160,4 +161,12 @@ void SAL_CALL OSpecialEmbeddedObject::doVerb( sal_Int32 nVerbID )
+         OCommonEmbeddedObject::doVerb( nVerbID );
+ }
+ 
++void SAL_CALL OSpecialEmbeddedObject::reload(
++                const uno::Sequence< beans::PropertyValue >&,
++                const uno::Sequence< beans::PropertyValue >&)
++{
++    // Allow IFrames to reload their content
++    SetInplaceActiveState();
++}
++
+ /* vim:set shiftwidth=4 softtabstop=4 expandtab: */
+diff --git a/embeddedobj/source/inc/commonembobj.hxx b/embeddedobj/source/inc/commonembobj.hxx
+index b2c9acd9ec1e7..73282a00deac4 100644
+--- a/embeddedobj/source/inc/commonembobj.hxx
++++ b/embeddedobj/source/inc/commonembobj.hxx
+@@ -226,6 +226,9 @@ private:
+                     const css::uno::Sequence< css::beans::PropertyValue >& lArguments,
+                     const css::uno::Sequence< css::beans::PropertyValue >& lObjArgs );
+ 
++protected:
++    void SetInplaceActiveState();
++
+ public:
+     OCommonEmbeddedObject(
+         const css::uno::Reference< css::uno::XComponentContext >& rxContext,
+diff --git a/embeddedobj/source/inc/specialobject.hxx b/embeddedobj/source/inc/specialobject.hxx
+index 32ad61a7a5828..ce5c01b35ae7f 100644
+--- a/embeddedobj/source/inc/specialobject.hxx
++++ b/embeddedobj/source/inc/specialobject.hxx
+@@ -48,6 +48,12 @@ public:
+     virtual void SAL_CALL changeState( sal_Int32 nNewState ) override;
+ 
+     virtual void SAL_CALL doVerb( sal_Int32 nVerbID ) override;
++
++// XCommonEmbedPersist
++
++    virtual void SAL_CALL reload(
++                const css::uno::Sequence< css::beans::PropertyValue >& lArguments,
++                const css::uno::Sequence< css::beans::PropertyValue >& lObjArgs ) override;
+ };
+ 
+ #endif
+diff --git a/include/svx/svdoole2.hxx b/include/svx/svdoole2.hxx
+index b192a438bc190..da5f094ab1553 100644
+--- a/include/svx/svdoole2.hxx
++++ b/include/svx/svdoole2.hxx
+@@ -42,6 +42,7 @@ namespace frame { class XModel; }
+ namespace svt { class EmbeddedObjectRef; }
+ 
+ class SdrOle2ObjImpl;
++class SvxOle2Shape;
+ 
+ class SVX_DLLPUBLIC SdrOle2Obj : public SdrRectObj
+ {
+@@ -49,7 +50,7 @@ private:
+     std::unique_ptr<SdrOle2ObjImpl> mpImpl;
+ 
+ private:
+-    SVX_DLLPRIVATE void Connect_Impl();
++    SVX_DLLPRIVATE void Connect_Impl(SvxOle2Shape* pCreator = nullptr);
+     SVX_DLLPRIVATE void Disconnect_Impl();
+     SVX_DLLPRIVATE void AddListeners_Impl();
+     SVX_DLLPRIVATE void RemoveListeners_Impl();
+@@ -105,7 +106,7 @@ public:
+     // OLE object has got a separate PersistName member now;
+     // !!! use ::SetPersistName( ... ) only, if you know what you do !!!
+     const OUString& GetPersistName() const;
+-    void        SetPersistName( const OUString& rPersistName );
++    void        SetPersistName( const OUString& rPersistName, SvxOle2Shape* pCreator = nullptr );
+ 
+     // One can add an application name to a SdrOle2Obj, which can be queried for
+     // later on (SD needs this for presentation objects).
+@@ -153,7 +154,7 @@ public:
+                                          sal_Int64 nAspect );
+     static bool Unload( const css::uno::Reference< css::embed::XEmbeddedObject >& xObj, sal_Int64 nAspect );
+     bool Unload();
+-    void Connect();
++    void Connect(SvxOle2Shape* pCreator = nullptr);
+     void Disconnect();
+     void ObjectLoaded();
+ 
+@@ -200,6 +201,16 @@ public:
+     void                Connect() { GetRealObject(); }
+ };
+ 
++class SVX_DLLPUBLIC SdrIFrameLink final : public sfx2::SvBaseLink
++{
++    SdrOle2Obj* m_pObject;
++
++public:
++    explicit SdrIFrameLink(SdrOle2Obj* pObject);
++    virtual ::sfx2::SvBaseLink::UpdateResult DataChanged(
++        const OUString& rMimeType, const css::uno::Any & rValue ) override;
++};
++
+ #endif // INCLUDED_SVX_SVDOOLE2_HXX
+ 
+ /* vim:set shiftwidth=4 softtabstop=4 expandtab: */
+diff --git a/include/svx/unoshape.hxx b/include/svx/unoshape.hxx
+index 0b48d1e433d6e..712552a55281a 100644
+--- a/include/svx/unoshape.hxx
++++ b/include/svx/unoshape.hxx
+@@ -597,6 +597,8 @@ public:
+     bool createObject( const SvGlobalName &aClassName );
+ 
+     void createLink( const OUString& aLinkURL );
++
++    virtual OUString GetAndClearInitialFrameURL();
+ };
+ 
+ 
+diff --git a/sc/source/ui/docshell/documentlinkmgr.cxx b/sc/source/ui/docshell/documentlinkmgr.cxx
+index cb3467c8bb691..8ea3c2cce5fb4 100644
+--- a/sc/source/ui/docshell/documentlinkmgr.cxx
++++ b/sc/source/ui/docshell/documentlinkmgr.cxx
+@@ -142,7 +142,7 @@ bool DocumentLinkManager::hasDdeOrOleOrWebServiceLinks(bool bDde, bool bOle, boo
+         sfx2::SvBaseLink* pBase = rLink.get();
+         if (bDde && dynamic_cast<ScDdeLink*>(pBase))
+             return true;
+-        if (bOle && dynamic_cast<SdrEmbedObjectLink*>(pBase))
++        if (bOle && (dynamic_cast<SdrEmbedObjectLink*>(pBase) || dynamic_cast<SdrIFrameLink*>(pBase)))
+             return true;
+         if (bWebService && dynamic_cast<ScWebServiceLink*>(pBase))
+             return true;
+@@ -173,6 +173,13 @@ bool DocumentLinkManager::updateDdeOrOleOrWebServiceLinks(weld::Window* pWin)
+             continue;
+         }
+ 
++        SdrIFrameLink* pIFrameLink = dynamic_cast<SdrIFrameLink*>(pBase);
++        if (pIFrameLink)
++        {
++            pIFrameLink->Update();
++            continue;
++        }
++
+         ScWebServiceLink* pWebserviceLink = dynamic_cast<ScWebServiceLink*>(pBase);
+         if (pWebserviceLink)
+         {
+diff --git a/sfx2/source/doc/iframe.cxx b/sfx2/source/doc/iframe.cxx
+index 5a0ea96a234da..fce6cb48ea08f 100644
+--- a/sfx2/source/doc/iframe.cxx
++++ b/sfx2/source/doc/iframe.cxx
+@@ -177,31 +177,46 @@ sal_Bool SAL_CALL IFrameObject::load(
+                 return false;
+         }
+ 
++        bool bUpdateAllowed(true);
++        if (pDoc)
++        {
++            // perhaps should only check for file targets, but lets default to making it strong
++            // unless there is a known need to distinguish
++            comphelper::EmbeddedObjectContainer& rEmbeddedObjectContainer = pDoc->getEmbeddedObjectContainer();
++            bUpdateAllowed = rEmbeddedObjectContainer.getUserAllowsLinkUpdate();
++        }
++        if (!bUpdateAllowed)
++            return false;
++
+         OUString sReferer;
+         if (pDoc && pDoc->HasName())
+             sReferer = pDoc->GetMedium()->GetName();
+ 
+-        DBG_ASSERT( !mxFrame.is(), "Frame already existing!" );
+-        VclPtr<vcl::Window> pParent = VCLUnoHelper::GetWindow( xFrame->getContainerWindow() );
+-        VclPtr<IFrameWindow_Impl> pWin = VclPtr<IFrameWindow_Impl>::Create( pParent, maFrmDescr.IsFrameBorderOn() );
+-        pWin->SetSizePixel( pParent->GetOutputSizePixel() );
+-        pWin->SetBackground();
+-        pWin->Show();
+-
+-        uno::Reference < awt::XWindow > xWindow( pWin->GetComponentInterface(), uno::UNO_QUERY );
+-        xFrame->setComponent( xWindow, uno::Reference < frame::XController >() );
++        uno::Reference<css::awt::XWindow> xParentWindow(xFrame->getContainerWindow());
+ 
+-        // we must destroy the IFrame before the parent is destroyed
+-        xWindow->addEventListener( this );
+-
+-        mxFrame = frame::Frame::create( mxContext );
+-        uno::Reference < awt::XWindow > xWin( pWin->GetComponentInterface(), uno::UNO_QUERY );
+-        mxFrame->initialize( xWin );
+-        mxFrame->setName( maFrmDescr.GetName() );
+-
+-        uno::Reference < frame::XFramesSupplier > xFramesSupplier( xFrame, uno::UNO_QUERY );
+-        if ( xFramesSupplier.is() )
+-            mxFrame->setCreator( xFramesSupplier );
++        if (!mxFrame.is())
++        {
++            VclPtr<vcl::Window> pParent = VCLUnoHelper::GetWindow(xParentWindow);
++            VclPtr<IFrameWindow_Impl> pWin = VclPtr<IFrameWindow_Impl>::Create( pParent, maFrmDescr.IsFrameBorderOn() );
++            pWin->SetSizePixel( pParent->GetOutputSizePixel() );
++            pWin->SetBackground();
++            pWin->Show();
++
++            uno::Reference < awt::XWindow > xWindow( pWin->GetComponentInterface(), uno::UNO_QUERY );
++            xFrame->setComponent( xWindow, uno::Reference < frame::XController >() );
++
++            // we must destroy the IFrame before the parent is destroyed
++            xWindow->addEventListener( this );
++
++            mxFrame = frame::Frame::create( mxContext );
++            uno::Reference < awt::XWindow > xWin( pWin->GetComponentInterface(), uno::UNO_QUERY );
++            mxFrame->initialize( xWin );
++            mxFrame->setName( maFrmDescr.GetName() );
++
++            uno::Reference < frame::XFramesSupplier > xFramesSupplier( xFrame, uno::UNO_QUERY );
++            if ( xFramesSupplier.is() )
++                mxFrame->setCreator( xFramesSupplier );
++        }
+ 
+         uno::Sequence < beans::PropertyValue > aProps{
+             comphelper::makePropertyValue("PluginMode", sal_Int16(2)),
+diff --git a/svx/source/svdraw/svdoole2.cxx b/svx/source/svdraw/svdoole2.cxx
+index 16617ecaf94fe..dc5f74811723d 100644
+--- a/svx/source/svdraw/svdoole2.cxx
++++ b/svx/source/svdraw/svdoole2.cxx
+@@ -78,6 +78,7 @@
+ #include <sdr/contact/viewcontactofsdrole2obj.hxx>
+ #include <svx/svdograf.hxx>
+ #include <sdr/properties/oleproperties.hxx>
++#include <svx/unoshape.hxx>
+ #include <svx/xlineit0.hxx>
+ #include <svx/xlnclit.hxx>
+ #include <svx/xbtmpit.hxx>
+@@ -598,6 +599,35 @@ void SdrEmbedObjectLink::Closed()
+     SvBaseLink::Closed();
+ }
+ 
++SdrIFrameLink::SdrIFrameLink(SdrOle2Obj* pObject)
++    : ::sfx2::SvBaseLink(::SfxLinkUpdateMode::ONCALL, SotClipboardFormatId::SVXB)
++    , m_pObject(pObject)
++{
++    SetSynchron( false );
++}
++
++::sfx2::SvBaseLink::UpdateResult SdrIFrameLink::DataChanged(
++    const OUString&, const uno::Any& )
++{
++    uno::Reference<embed::XEmbeddedObject> xObject = m_pObject->GetObjRef();
++    uno::Reference<embed::XCommonEmbedPersist> xPersObj(xObject, uno::UNO_QUERY);
++    if (xPersObj.is())
++    {
++        // let the IFrameObject reload the link
++        try
++        {
++            xPersObj->reload(uno::Sequence<beans::PropertyValue>(), uno::Sequence<beans::PropertyValue>());
++        }
++        catch (const uno::Exception&)
++        {
++        }
++
++        m_pObject->SetChanged();
++    }
++
++    return SUCCESS;
++}
++
+ class SdrOle2ObjImpl
+ {
+ public:
+@@ -615,7 +645,7 @@ public:
+     bool mbLoadingOLEObjectFailed:1; // New local var to avoid repeated loading if load of OLE2 fails
+     bool mbConnected:1;
+ 
+-    SdrEmbedObjectLink* mpObjectLink;
++    sfx2::SvBaseLink* mpObjectLink;
+     OUString maLinkURL;
+ 
+     rtl::Reference<SvxUnoShapeModifyListener> mxModifyListener;
+@@ -815,7 +845,7 @@ bool SdrOle2Obj::IsEmpty() const
+     return !mpImpl->mxObjRef.is();
+ }
+ 
+-void SdrOle2Obj::Connect()
++void SdrOle2Obj::Connect(SvxOle2Shape* pCreator)
+ {
+     if( IsEmptyPresObj() )
+         return;
+@@ -828,7 +858,7 @@ void SdrOle2Obj::Connect()
+         return;
+     }
+ 
+-    Connect_Impl();
++    Connect_Impl(pCreator);
+     AddListeners_Impl();
+ }
+ 
+@@ -927,24 +957,51 @@ void SdrOle2Obj::CheckFileLink_Impl()
+     {
+         try
+         {
+-            uno::Reference< embed::XLinkageSupport > xLinkSupport( mpImpl->mxObjRef.GetObject(), uno::UNO_QUERY );
++            uno::Reference<embed::XEmbeddedObject> xObject = mpImpl->mxObjRef.GetObject();
++            if (!xObject)
++                return;
+ 
+-            if ( xLinkSupport.is() && xLinkSupport->isLink() )
+-            {
+-                OUString aLinkURL = xLinkSupport->getLinkURL();
++            bool bIFrame = false;
+ 
+-                if ( !aLinkURL.isEmpty() )
++            OUString aLinkURL;
++            uno::Reference<embed::XLinkageSupport> xLinkSupport(xObject, uno::UNO_QUERY);
++            if (xLinkSupport)
++            {
++                if (xLinkSupport->isLink())
++                    aLinkURL = xLinkSupport->getLinkURL();
++            }
++            else
++            {
++                // get IFrame (Floating Frames) listed and updatable from the
++                // manage links dialog
++                SvGlobalName aClassId(xObject->getClassID());
++                if (aClassId == SvGlobalName(SO3_IFRAME_CLASSID))
+                 {
+-                    // this is a file link so the model link manager should handle it
+-                    sfx2::LinkManager* pLinkManager(getSdrModelFromSdrObject().GetLinkManager());
++                    uno::Reference<beans::XPropertySet> xSet(xObject->getComponent(), uno::UNO_QUERY);
++                    if (xSet.is())
++                        xSet->getPropertyValue("FrameURL") >>= aLinkURL;
++                    bIFrame = true;
++                }
++            }
++
++            if (!aLinkURL.isEmpty()) // this is a file link so the model link manager should handle it
++            {
++                sfx2::LinkManager* pLinkManager(getSdrModelFromSdrObject().GetLinkManager());
+ 
+-                    if ( pLinkManager )
++                if ( pLinkManager )
++                {
++                    SdrEmbedObjectLink* pEmbedObjectLink = nullptr;
++                    if (!bIFrame)
+                     {
+-                        mpImpl->mpObjectLink = new SdrEmbedObjectLink( this );
+-                        mpImpl->maLinkURL = aLinkURL;
+-                        pLinkManager->InsertFileLink( *mpImpl->mpObjectLink, OBJECT_CLIENT_OLE, aLinkURL );
+-                        mpImpl->mpObjectLink->Connect();
++                        pEmbedObjectLink = new SdrEmbedObjectLink(this);
++                        mpImpl->mpObjectLink = pEmbedObjectLink;
+                     }
++                    else
++                        mpImpl->mpObjectLink = new SdrIFrameLink(this);
++                    mpImpl->maLinkURL = aLinkURL;
++                    pLinkManager->InsertFileLink( *mpImpl->mpObjectLink, OBJECT_CLIENT_OLE, aLinkURL );
++                    if (pEmbedObjectLink)
++                        pEmbedObjectLink->Connect();
+                 }
+             }
+         }
+@@ -955,7 +1012,7 @@ void SdrOle2Obj::CheckFileLink_Impl()
+     }
+ }
+ 
+-void SdrOle2Obj::Connect_Impl()
++void SdrOle2Obj::Connect_Impl(SvxOle2Shape* pCreator)
+ {
+     if(!mpImpl->aPersistName.isEmpty() )
+     {
+@@ -995,6 +1052,17 @@ void SdrOle2Obj::Connect_Impl()
+                 }
+             }
+ 
++            if (pCreator)
++            {
++                OUString sFrameURL(pCreator->GetAndClearInitialFrameURL());
++                if (!sFrameURL.isEmpty() && svt::EmbeddedObjectRef::TryRunningState(mpImpl->mxObjRef.GetObject()))
++                {
++                    uno::Reference<beans::XPropertySet> xSet(mpImpl->mxObjRef->getComponent(), uno::UNO_QUERY);
++                    if (xSet.is())
++                        xSet->setPropertyValue("FrameURL", uno::Any(sFrameURL));
++                }
++            }
++
+             if ( mpImpl->mxObjRef.is() )
+             {
+                 if ( !mpImpl->mxLightClient.is() )
+@@ -1308,14 +1376,14 @@ SdrObjectUniquePtr SdrOle2Obj::getFullDragClone() const
+     return createSdrGrafObjReplacement(false);
+ }
+ 
+-void SdrOle2Obj::SetPersistName( const OUString& rPersistName )
++void SdrOle2Obj::SetPersistName( const OUString& rPersistName, SvxOle2Shape* pCreator )
+ {
+     DBG_ASSERT( mpImpl->aPersistName.isEmpty(), "Persist name changed!");
+ 
+     mpImpl->aPersistName = rPersistName;
+     mpImpl->mbLoadingOLEObjectFailed = false;
+ 
+-    Connect();
++    Connect(pCreator);
+     SetChanged();
+ }
+ 
+diff --git a/svx/source/unodraw/shapeimpl.hxx b/svx/source/unodraw/shapeimpl.hxx
+index a1a4e69630206..4381094d380a3 100644
+--- a/svx/source/unodraw/shapeimpl.hxx
++++ b/svx/source/unodraw/shapeimpl.hxx
+@@ -64,8 +64,11 @@ public:
+ 
+     virtual void Create( SdrObject* pNewOpj, SvxDrawPage* pNewPage ) override;
+ };
++
+ class SvxFrameShape : public SvxOle2Shape
+ {
++private:
++    OUString m_sInitialFrameURL;
+ protected:
+     // override these for special property handling in subcasses. Return true if property is handled
+     virtual bool setPropertyValueImpl( const OUString& rName, const SfxItemPropertySimpleEntry* pProperty, const css::uno::Any& rValue ) override;
+@@ -82,6 +85,8 @@ public:
+     virtual void SAL_CALL setPropertyValues( const css::uno::Sequence< OUString >& aPropertyNames, const css::uno::Sequence< css::uno::Any >& aValues ) override;
+ 
+     virtual void Create( SdrObject* pNewOpj, SvxDrawPage* pNewPage ) override;
++
++    virtual OUString GetAndClearInitialFrameURL() override;
+ };
+ 
+ 
+diff --git a/svx/source/unodraw/unoshap4.cxx b/svx/source/unodraw/unoshap4.cxx
+index f7629f3388587..6dc18d6cf9e48 100644
+--- a/svx/source/unodraw/unoshap4.cxx
++++ b/svx/source/unodraw/unoshap4.cxx
+@@ -180,7 +180,7 @@ bool SvxOle2Shape::setPropertyValueImpl( const OUString& rName, const SfxItemPro
+ #else
+             pOle = static_cast<SdrOle2Obj*>(GetSdrObject());
+ #endif
+-            pOle->SetPersistName( aPersistName );
++            pOle->SetPersistName( aPersistName, this );
+             return true;
+         }
+         break;
+@@ -501,10 +501,11 @@ void SvxOle2Shape::createLink( const OUString& aLinkURL )
+ 
+ void SvxOle2Shape::resetModifiedState()
+ {
+-    ::comphelper::IEmbeddedHelper* pPersist = GetSdrObject()->getSdrModelFromSdrObject().GetPersist();
++    SdrObject* pObject = GetSdrObject();
++    ::comphelper::IEmbeddedHelper* pPersist = pObject ? pObject->getSdrModelFromSdrObject().GetPersist() : nullptr;
+     if( pPersist && !pPersist->isEnableSetModified() )
+     {
+-        SdrOle2Obj* pOle = dynamic_cast< SdrOle2Obj* >( GetSdrObject() );
++        SdrOle2Obj* pOle = dynamic_cast< SdrOle2Obj* >(pObject);
+         if( pOle && !pOle->IsEmpty() )
+         {
+             uno::Reference < util::XModifiable > xMod( pOle->GetObjRef(), uno::UNO_QUERY );
+@@ -554,6 +555,11 @@ SvGlobalName SvxOle2Shape::GetClassName_Impl(OUString& rHexCLSID)
+     return aClassName;
+ }
+ 
++OUString SvxOle2Shape::GetAndClearInitialFrameURL()
++{
++    return OUString();
++}
++
+ SvxAppletShape::SvxAppletShape(SdrObject* pObject)
+     : SvxOle2Shape( pObject, getSvxMapProvider().GetMap(SVXMAP_APPLET), getSvxMapProvider().GetPropertySet(SVXMAP_APPLET, SdrObject::GetGlobalDrawObjectItemPool())  )
+ {
+@@ -707,8 +713,19 @@ SvxFrameShape::~SvxFrameShape() throw()
+ {
+ }
+ 
++OUString SvxFrameShape::GetAndClearInitialFrameURL()
++{
++    OUString sRet(m_sInitialFrameURL);
++    m_sInitialFrameURL.clear();
++    return sRet;
++}
++
+ void SvxFrameShape::Create( SdrObject* pNewObj, SvxDrawPage* pNewPage )
+ {
++    uno::Reference<beans::XPropertySet> xSet(static_cast<OWeakObject *>(this), uno::UNO_QUERY);
++    if (xSet)
++        xSet->getPropertyValue("FrameURL") >>= m_sInitialFrameURL;
++
+     SvxShape::Create( pNewObj, pNewPage );
+     const SvGlobalName aIFrameClassId( SO3_IFRAME_CLASSID );
+     createObject(aIFrameClassId);
+diff --git a/sw/inc/ndole.hxx b/sw/inc/ndole.hxx
+index 852fffd84e3d7..a2d9749420970 100644
+--- a/sw/inc/ndole.hxx
++++ b/sw/inc/ndole.hxx
+@@ -28,7 +28,7 @@ class SwGrfFormatColl;
+ class SwDoc;
+ class SwOLENode;
+ class SwOLEListener_Impl;
+-class SwEmbedObjectLink;
++namespace sfx2 { class SvBaseLink; }
+ class DeflateData;
+ 
+ class SW_DLLPUBLIC SwOLEObj
+@@ -90,7 +90,7 @@ class SW_DLLPUBLIC SwOLENode: public SwNoTextNode
+     bool   mbOLESizeInvalid; /**< Should be considered at SwDoc::PrtOLENotify
+                                    (e.g. copied). Is not persistent. */
+ 
+-    SwEmbedObjectLink*  mpObjectLink;
++    sfx2::SvBaseLink*  mpObjectLink;
+     OUString maLinkURL;
+ 
+     SwOLENode(  const SwNodeIndex &rWhere,
+diff --git a/sw/source/core/ole/ndole.cxx b/sw/source/core/ole/ndole.cxx
+index 9000d6ef1b9ee..7501fcdd09d7a 100644
+--- a/sw/source/core/ole/ndole.cxx
++++ b/sw/source/core/ole/ndole.cxx
+@@ -147,6 +147,8 @@ void SAL_CALL SwOLEListener_Impl::disposing( const lang::EventObject& )
+ // TODO/LATER: actually SwEmbedObjectLink should be used here, but because different objects are used to control
+ //             embedded object different link objects with the same functionality had to be implemented
+ 
++namespace {
++
+ class SwEmbedObjectLink : public sfx2::SvBaseLink
+ {
+     SwOLENode*          pOleNode;
+@@ -209,6 +211,44 @@ void SwEmbedObjectLink::Closed()
+     SvBaseLink::Closed();
+ }
+ 
++class SwIFrameLink : public sfx2::SvBaseLink
++{
++    SwOLENode* m_pOleNode;
++
++public:
++    explicit SwIFrameLink(SwOLENode* pNode)
++        : ::sfx2::SvBaseLink(::SfxLinkUpdateMode::ONCALL, SotClipboardFormatId::SVXB)
++        , m_pOleNode(pNode)
++    {
++        SetSynchron( false );
++    }
++
++    ::sfx2::SvBaseLink::UpdateResult DataChanged(
++        const OUString&, const uno::Any& )
++    {
++        uno::Reference<embed::XEmbeddedObject> xObject = m_pOleNode->GetOLEObj().GetOleRef();
++        uno::Reference<embed::XCommonEmbedPersist> xPersObj(xObject, uno::UNO_QUERY);
++        if (xPersObj.is())
++        {
++            // let the IFrameObject reload the link
++            try
++            {
++                xPersObj->reload(uno::Sequence<beans::PropertyValue>(), uno::Sequence<beans::PropertyValue>());
++            }
++            catch (const uno::Exception&)
++            {
++            }
++
++            m_pOleNode->SetChanged();
++        }
++
++        return SUCCESS;
++    }
++
++};
++
++}
++
+ SwOLENode::SwOLENode( const SwNodeIndex &rWhere,
+                     const svt::EmbeddedObjectRef& xObj,
+                     SwGrfFormatColl *pGrfColl,
+@@ -606,18 +646,49 @@ void SwOLENode::CheckFileLink_Impl()
+     {
+         try
+         {
+-            uno::Reference< embed::XLinkageSupport > xLinkSupport( maOLEObj.m_xOLERef.GetObject(), uno::UNO_QUERY_THROW );
+-            if ( xLinkSupport->isLink() )
++            uno::Reference<embed::XEmbeddedObject> xObject = maOLEObj.m_xOLERef.GetObject();
++            if (!xObject)
++                return;
++
++            bool bIFrame = false;
++
++            OUString aLinkURL;
++            uno::Reference<embed::XLinkageSupport> xLinkSupport(xObject, uno::UNO_QUERY);
++            if (xLinkSupport)
++            {
++                if (xLinkSupport->isLink())
++                    aLinkURL = xLinkSupport->getLinkURL();
++            }
++            else
+             {
+-                const OUString aLinkURL = xLinkSupport->getLinkURL();
+-                if ( !aLinkURL.isEmpty() )
++                // get IFrame (Floating Frames) listed and updatable from the
++                // manage links dialog
++                SvGlobalName aClassId(xObject->getClassID());
++                if (aClassId == SvGlobalName(SO3_IFRAME_CLASSID))
++                {
++                    uno::Reference<beans::XPropertySet> xSet(xObject->getComponent(), uno::UNO_QUERY);
++                    if (xSet.is())
++                        xSet->getPropertyValue("FrameURL") >>= aLinkURL;
++                    bIFrame = true;
++                }
++            }
++
++            if (!aLinkURL.isEmpty()) // this is a file link so the model link manager should handle it
++            {
++                SwEmbedObjectLink* pEmbedObjectLink = nullptr;
++                if (!bIFrame)
++                {
++                    pEmbedObjectLink = new SwEmbedObjectLink(this);
++                    mpObjectLink = pEmbedObjectLink;
++                }
++                else
+                 {
+-                    // this is a file link so the model link manager should handle it
+-                    mpObjectLink = new SwEmbedObjectLink( this );
+-                    maLinkURL = aLinkURL;
+-                    GetDoc()->getIDocumentLinksAdministration().GetLinkManager().InsertFileLink( *mpObjectLink, OBJECT_CLIENT_OLE, aLinkURL );
+-                    mpObjectLink->Connect();
++                    mpObjectLink = new SwIFrameLink(this);
+                 }
++                maLinkURL = aLinkURL;
++                GetDoc()->getIDocumentLinksAdministration().GetLinkManager().InsertFileLink( *mpObjectLink, OBJECT_CLIENT_OLE, aLinkURL );
++                if (pEmbedObjectLink)
++                    pEmbedObjectLink->Connect();
+             }
+         }
+         catch( uno::Exception& )
+diff --git a/xmloff/source/draw/ximpshap.cxx b/xmloff/source/draw/ximpshap.cxx
+index ae35f1e21a87b..bd5f30af7d708 100644
+--- a/xmloff/source/draw/ximpshap.cxx
++++ b/xmloff/source/draw/ximpshap.cxx
+@@ -3223,9 +3223,35 @@ SdXMLFloatingFrameShapeContext::~SdXMLFloatingFrameShapeContext()
+ {
+ }
+ 
++uno::Reference<drawing::XShape> SdXMLFloatingFrameShapeContext::CreateFloatingFrameShape() const
++{
++    uno::Reference<lang::XMultiServiceFactory> xServiceFact(GetImport().GetModel(), uno::UNO_QUERY);
++    if (!xServiceFact.is())
++        return nullptr;
++    uno::Reference<drawing::XShape> xShape(
++            xServiceFact->createInstance("com.sun.star.drawing.FrameShape"), uno::UNO_QUERY);
++    return xShape;
++}
++
+ void SdXMLFloatingFrameShapeContext::StartElement( const css::uno::Reference< css::xml::sax::XAttributeList >& )
+ {
+-    AddShape("com.sun.star.drawing.FrameShape");
++    uno::Reference<drawing::XShape> xShape(SdXMLFloatingFrameShapeContext::CreateFloatingFrameShape());
++
++    uno::Reference< beans::XPropertySet > xProps(xShape, uno::UNO_QUERY);
++    // set FrameURL before AddShape, we have to do it again later because it
++    // gets cleared when the SdrOle2Obj is attached to the XShape.  But we want
++    // FrameURL to exist when AddShape triggers SetPersistName which itself
++    // triggers SdrOle2Obj::CheckFileLink_Impl and at that point we want to
++    // know what URL will end up being used. So bodge this by setting FrameURL
++    // to the temp pre-SdrOle2Obj attached properties and we can smuggle it
++    // eventually into SdrOle2Obj::SetPersistName at the right point after
++    // PersistName is set but before SdrOle2Obj::CheckFileLink_Impl is called
++    // in order to inform the link manager that this is an IFrame that links to
++    // a URL
++    if (xProps && !maHref.isEmpty())
++        xProps->setPropertyValue("FrameURL", Any(maHref));
++
++    AddShape(xShape);
+ 
+     if( mxShape.is() )
+     {
+@@ -3234,7 +3260,6 @@ void SdXMLFloatingFrameShapeContext::StartElement( const css::uno::Reference< cs
+         // set pos, size, shear and rotate
+         SetTransformation();
+ 
+-        uno::Reference< beans::XPropertySet > xProps( mxShape, uno::UNO_QUERY );
+         if( xProps.is() )
+         {
+             if( !maFrameName.isEmpty() )
+diff --git a/xmloff/source/draw/ximpshap.hxx b/xmloff/source/draw/ximpshap.hxx
+index fae45f88f00a9..a00c87e8a0dab 100644
+--- a/xmloff/source/draw/ximpshap.hxx
++++ b/xmloff/source/draw/ximpshap.hxx
+@@ -513,6 +513,8 @@ private:
+     OUString maFrameName;
+     OUString maHref;
+ 
++    css::uno::Reference<css::drawing::XShape> CreateFloatingFrameShape() const;
++
+ public:
+ 
+     SdXMLFloatingFrameShapeContext( SvXMLImport& rImport, sal_uInt16 nPrfx,
+-- 
+2.41.0
+
diff --git a/SOURCES/0003-Always-push-a-result-even-if-it-s-only-an-error.patch b/SOURCES/0003-Always-push-a-result-even-if-it-s-only-an-error.patch
new file mode 100644
index 0000000..8149469
--- /dev/null
+++ b/SOURCES/0003-Always-push-a-result-even-if-it-s-only-an-error.patch
@@ -0,0 +1,50 @@
+From 7e128f02a7cb513e4e57dbb1970fa316f456aa45 Mon Sep 17 00:00:00 2001
+From: Eike Rathke <erack@redhat.com>
+Date: Mon, 27 Feb 2023 16:10:06 +0100
+Subject: [PATCH 3/3] Always push a result, even if it's only an error
+
+PERCENTILE() and QUARTILE() if an error was passed as argument (or
+an error encountered during obtaining arguments) omitted to push
+an error result, only setting the error.
+
+Fallout from
+
+    commit f336f63da900d76c2bf6e5690f1c8a7bd15a0aa2
+    CommitDate: Thu Mar 3 16:28:59 2016 +0000
+
+        tdf#94635 Add FORECAST.ETS functions to Calc
+
+Change-Id: I23e276fb0ce735cfd6383cc963446499dcf819f4
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/147922
+Reviewed-by: Eike Rathke <erack@redhat.com>
+Tested-by: Jenkins
+(cherry picked from commit 64914560e279c71ff1233f4bab851e2a292797e6)
+---
+ sc/source/core/tool/interpr3.cxx | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sc/source/core/tool/interpr3.cxx b/sc/source/core/tool/interpr3.cxx
+index f219beca9386..d442d4eee224 100644
+--- a/sc/source/core/tool/interpr3.cxx
++++ b/sc/source/core/tool/interpr3.cxx
+@@ -3474,7 +3474,7 @@ void ScInterpreter::ScPercentile( bool bInclusive )
+     GetNumberSequenceArray( 1, aArray, false );
+     if ( aArray.empty() || nGlobalError != FormulaError::NONE )
+     {
+-        SetError( FormulaError::NoValue );
++        PushNoValue();
+         return;
+     }
+     if ( bInclusive )
+@@ -3497,7 +3497,7 @@ void ScInterpreter::ScQuartile( bool bInclusive )
+     GetNumberSequenceArray( 1, aArray, false );
+     if ( aArray.empty() || nGlobalError != FormulaError::NONE )
+     {
+-        SetError( FormulaError::NoValue );
++        PushNoValue();
+         return;
+     }
+     if ( bInclusive )
+-- 
+2.41.0
+
diff --git a/SOURCES/0003-CVE-2023-6186-default-to-ignoring-libreoffice-special-purpose-prot.patch b/SOURCES/0003-CVE-2023-6186-default-to-ignoring-libreoffice-special-purpose-prot.patch
new file mode 100644
index 0000000..bd7487b
--- /dev/null
+++ b/SOURCES/0003-CVE-2023-6186-default-to-ignoring-libreoffice-special-purpose-prot.patch
@@ -0,0 +1,225 @@
+From ae89e7b8ae1e781c1a9d8ca2c5d4aeca656932f8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolan.mcnamara@collabora.com>
+Date: Fri, 3 Nov 2023 17:26:25 +0000
+Subject: [PATCH] default to ignoring libreoffice special-purpose protocols in
+ calc hyperlink
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Change-Id: Ib9f62be3acc05f24ca234dec0fec21e24579e9de
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/158911
+Tested-by: Jenkins
+Tested-by: Caolán McNamara <caolan.mcnamara@collabora.com>
+Reviewed-by: Caolán McNamara <caolan.mcnamara@collabora.com>
+(cherry picked from commit b6062623b4d69c79e90e9365ac7c5e7f11986793)
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159045
+Reviewed-by: Eike Rathke <erack@redhat.com>
+Signed-off-by: Xisco Fauli <xiscofauli@libreoffice.org>
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159882
+Tested-by: Miklos Vajna <vmiklos@collabora.com>
+Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
+Signed-off-by: Xisco Fauli <xiscofauli@libreoffice.org>
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159912
+Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
+
+erAck: backported to 6.4.7.2
+
+---
+ dbaccess/source/core/dataaccess/ModelImpl.cxx |  3 +-
+ include/sfx2/docmacromode.hxx                 |  5 ++-
+ include/sfx2/objsh.hxx                        |  3 ++
+ sc/source/core/data/global.cxx                | 33 ++++++++++++++++++-
+ sfx2/source/doc/docmacromode.cxx              |  8 +++--
+ sfx2/source/doc/objmisc.cxx                   |  8 ++++-
+ sfx2/source/doc/objxtor.cxx                   |  1 +
+ sfx2/source/inc/objshimp.hxx                  |  3 +-
+ 8 files changed, 57 insertions(+), 7 deletions(-)
+
+diff --git a/dbaccess/source/core/dataaccess/ModelImpl.cxx b/dbaccess/source/core/dataaccess/ModelImpl.cxx
+index 1f11f36..ce4dbae 100644
+--- a/dbaccess/source/core/dataaccess/ModelImpl.cxx
++++ b/dbaccess/source/core/dataaccess/ModelImpl.cxx
+@@ -1140,7 +1140,8 @@ bool ODatabaseModelImpl::checkMacrosOnLoading()
+ {
+     Reference< XInteractionHandler > xInteraction;
+     xInteraction = m_aMediaDescriptor.getOrDefault( "InteractionHandler", xInteraction );
+-    return m_aMacroMode.checkMacrosOnLoading( xInteraction );
++    const bool bHasMacros = m_aMacroMode.hasMacros();
++    return m_aMacroMode.checkMacrosOnLoading(xInteraction, bHasMacros);
+ }
+ 
+ void ODatabaseModelImpl::resetMacroExecutionMode()
+diff --git a/include/sfx2/docmacromode.hxx b/include/sfx2/docmacromode.hxx
+index a15bbbe..98b7d3a 100644
+--- a/include/sfx2/docmacromode.hxx
++++ b/include/sfx2/docmacromode.hxx
+@@ -260,6 +260,8 @@ namespace sfx2
+         */
+         static bool storageHasMacros( const css::uno::Reference< css::embed::XStorage >& _rxStorage );
+ 
++        bool hasMacros() const;
++
+         static bool containerHasBasicMacros( const css::uno::Reference< css::script::XLibraryContainer >& xContainter );
+         /** checks the macro execution mode while loading the document.
+ 
+@@ -286,7 +288,8 @@ namespace sfx2
+         */
+         bool
+                 checkMacrosOnLoading(
+-                    const css::uno::Reference< css::task::XInteractionHandler >& _rxInteraction
++                    const css::uno::Reference< css::task::XInteractionHandler >& _rxInteraction,
++                    bool bHasMacros
+                 );
+ 
+     private:
+diff --git a/include/sfx2/objsh.hxx b/include/sfx2/objsh.hxx
+index 2a56ebe..43df460 100644
+--- a/include/sfx2/objsh.hxx
++++ b/include/sfx2/objsh.hxx
+@@ -418,6 +418,9 @@ public:
+     void                        SetMacroCallsSeenWhileLoading();
+     bool                        GetMacroCallsSeenWhileLoading() const;
+ 
++    // true if the document had macros (or similar) on load to trigger warning user
++    bool                        GetHadCheckedMacrosOnLoad() const;
++
+     const css::uno::Sequence< css::beans::PropertyValue >& GetModifyPasswordInfo() const;
+     bool                        SetModifyPasswordInfo( const css::uno::Sequence< css::beans::PropertyValue >& aInfo );
+ 
+diff --git a/sc/source/core/data/global.cxx b/sc/source/core/data/global.cxx
+index 050fd82..92d50c4 100644
+--- a/sc/source/core/data/global.cxx
++++ b/sc/source/core/data/global.cxx
+@@ -26,7 +26,9 @@
+ #include <sfx2/docfile.hxx>
+ #include <sfx2/dispatch.hxx>
+ #include <sfx2/objsh.hxx>
++#include <sfx2/sfxresid.hxx>
+ #include <sfx2/sfxsids.hrc>
++#include <sfx2/strings.hrc>
+ #include <sfx2/viewfrm.hxx>
+ #include <sfx2/viewsh.hxx>
+ #include <svl/intitem.hxx>
+@@ -789,7 +791,7 @@ void ScGlobal::OpenURL(const OUString& rURL, const OUString& rTarget, bool bIgno
+ 
+     OUString aUrlName( rURL );
+     SfxViewFrame* pFrame = nullptr;
+-    const SfxObjectShell* pObjShell = nullptr;
++    SfxObjectShell* pObjShell = nullptr;
+     OUString aReferName;
+     if ( pScActiveViewShell )
+     {
+@@ -823,6 +825,35 @@ void ScGlobal::OpenURL(const OUString& rURL, const OUString& rTarget, bool bIgno
+             aUrlName = aNewUrlName;
+     }
+ 
++    if (INetURLObject(aUrlName).IsExoticProtocol())
++    {
++        // Default to ignoring exotic protocols
++        bool bAllow = false;
++        if (pObjShell)
++        {
++            // If the document had macros when loaded then follow the allowed macro-mode
++            if (pObjShell->GetHadCheckedMacrosOnLoad())
++                bAllow = pObjShell->AdjustMacroMode();
++            else // otherwise ask the user, defaulting to cancel
++            {
++                assert(pFrame && "if we have pObjShell we have pFrame");
++                //Reuse URITools::onOpenURI warning string
++                std::unique_ptr<weld::MessageDialog> xQueryBox(Application::CreateMessageDialog(pFrame->GetFrameWeld(),
++                                                               VclMessageType::Warning, VclButtonsType::YesNo,
++                                                               SfxResId(STR_DANGEROUS_TO_OPEN)));
++                xQueryBox->set_primary_text(xQueryBox->get_primary_text().replaceFirst("$(ARG1)",
++                    INetURLObject::decode(aUrlName, INetURLObject::DecodeMechanism::Unambiguous)));
++                xQueryBox->set_default_response(RET_NO);
++                bAllow = xQueryBox->run() == RET_YES;
++            }
++        }
++        if (!bAllow)
++        {
++            SAL_WARN("sc", "ScGlobal::OpenURL ignoring: " << aUrlName);
++            return;
++        }
++    }
++
+     SfxStringItem aUrl( SID_FILE_NAME, aUrlName );
+     SfxStringItem aTarget( SID_TARGETNAME, rTarget );
+     if ( nScClickMouseModifier & KEY_SHIFT )     // control-click -> into new window
+diff --git a/sfx2/source/doc/docmacromode.cxx b/sfx2/source/doc/docmacromode.cxx
+index 492bd0a..7f1fb2b 100644
+--- a/sfx2/source/doc/docmacromode.cxx
++++ b/sfx2/source/doc/docmacromode.cxx
+@@ -391,8 +391,12 @@ namespace sfx2
+         return bHasMacros;
+     }
+ 
++    bool DocumentMacroMode::hasMacros() const
++    {
++        return m_xData->m_rDocumentAccess.documentStorageHasMacros() || hasMacroLibrary() || m_xData->m_rDocumentAccess.macroCallsSeenWhileLoading();
++    }
+ 
+-    bool DocumentMacroMode::checkMacrosOnLoading( const Reference< XInteractionHandler >& rxInteraction )
++    bool DocumentMacroMode::checkMacrosOnLoading( const Reference< XInteractionHandler >& rxInteraction, bool bHasMacros )
+     {
+         bool bAllow = false;
+         if ( SvtSecurityOptions().IsMacroDisabled() )
+@@ -402,7 +406,7 @@ namespace sfx2
+         }
+         else
+         {
+-            if (m_xData->m_rDocumentAccess.documentStorageHasMacros() || hasMacroLibrary() || m_xData->m_rDocumentAccess.macroCallsSeenWhileLoading())
++            if (bHasMacros)
+             {
+                 bAllow = adjustMacroMode( rxInteraction );
+             }
+diff --git a/sfx2/source/doc/objmisc.cxx b/sfx2/source/doc/objmisc.cxx
+index 6819404..fac75dd 100644
+--- a/sfx2/source/doc/objmisc.cxx
++++ b/sfx2/source/doc/objmisc.cxx
+@@ -953,9 +953,15 @@ void SfxObjectShell::CheckSecurityOnLoading_Impl()
+     CheckEncryption_Impl( xInteraction );
+ 
+     // check macro security
+-    pImpl->aMacroMode.checkMacrosOnLoading( xInteraction );
++    const bool bHasMacros = pImpl->aMacroMode.hasMacros();
++    pImpl->aMacroMode.checkMacrosOnLoading( xInteraction, bHasMacros );
++    pImpl->m_bHadCheckedMacrosOnLoad = bHasMacros;
+ }
+ 
++bool SfxObjectShell::GetHadCheckedMacrosOnLoad() const
++{
++    return pImpl->m_bHadCheckedMacrosOnLoad;
++}
+ 
+ void SfxObjectShell::CheckEncryption_Impl( const uno::Reference< task::XInteractionHandler >& xHandler )
+ {
+diff --git a/sfx2/source/doc/objxtor.cxx b/sfx2/source/doc/objxtor.cxx
+index 510c35d..a707bb7 100644
+--- a/sfx2/source/doc/objxtor.cxx
++++ b/sfx2/source/doc/objxtor.cxx
+@@ -237,6 +237,7 @@ SfxObjectShell_Impl::SfxObjectShell_Impl( SfxObjectShell& _rDocShell )
+     ,m_bAllowShareControlFileClean( true )
+     ,m_bConfigOptionsChecked( false )
+     ,m_bMacroCallsSeenWhileLoading( false )
++    ,m_bHadCheckedMacrosOnLoad( false )
+     ,lErr(ERRCODE_NONE)
+     ,nEventId ( SfxEventHintId::NONE )
+     ,nLoadedFlags ( SfxLoadedFlags::ALL )
+diff --git a/sfx2/source/inc/objshimp.hxx b/sfx2/source/inc/objshimp.hxx
+index 3d7b0b6..4afdd70 100644
+--- a/sfx2/source/inc/objshimp.hxx
++++ b/sfx2/source/inc/objshimp.hxx
+@@ -91,7 +91,8 @@ struct SfxObjectShell_Impl : public ::sfx2::IMacroDocumentAccess
+                         m_bSharedXMLFlag:1, // whether the document should be edited in shared mode
+                         m_bAllowShareControlFileClean:1, // whether the flag should be stored in xml file
+                         m_bConfigOptionsChecked:1, // whether or not the user options are checked after the Options dialog is closed.
+-                        m_bMacroCallsSeenWhileLoading:1; // whether or not the user options are checked after the Options dialog is closed.
++                        m_bMacroCallsSeenWhileLoading:1, // whether or not macro calls were seen when loading document.
++                        m_bHadCheckedMacrosOnLoad:1; // if document contained macros (or calls) when loaded
+ 
+     IndexBitSet         aBitSet;
+     ErrCode             lErr;
+-- 
+2.43.0
+
diff --git a/SOURCES/0003-assume-IFrame-script-macro-support-isn-t-needed.patch b/SOURCES/0003-assume-IFrame-script-macro-support-isn-t-needed.patch
new file mode 100644
index 0000000..66de89c
--- /dev/null
+++ b/SOURCES/0003-assume-IFrame-script-macro-support-isn-t-needed.patch
@@ -0,0 +1,54 @@
+From eaa66eec69ec311b73521c6ce410a749c810298f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
+Date: Thu, 20 Apr 2023 20:58:21 +0100
+Subject: [PATCH 3/3] assume IFrame script/macro support isn't needed
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+seems undocumented at least
+
+Change-Id: I316e4f4f25ddb7cf6b7bac4d856a721b987207a3
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/151020
+Tested-by: Jenkins
+Reviewed-by: Xisco Fauli <xiscofauli@libreoffice.org>
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/152150
+Tested-by: Caolán McNamara <caolan.mcnamara@collabora.com>
+Reviewed-by: Caolán McNamara <caolan.mcnamara@collabora.com>
+(cherry picked from commit 4b679f8e16bc050bc0cc9fa9294413c8115ed239)
+---
+ sfx2/source/doc/iframe.cxx | 12 ++++--------
+ 1 file changed, 4 insertions(+), 8 deletions(-)
+
+diff --git a/sfx2/source/doc/iframe.cxx b/sfx2/source/doc/iframe.cxx
+index fce6cb48ea08f..84d724f7c58f3 100644
+--- a/sfx2/source/doc/iframe.cxx
++++ b/sfx2/source/doc/iframe.cxx
+@@ -168,20 +168,16 @@ sal_Bool SAL_CALL IFrameObject::load(
+         uno::Reference < util::XURLTransformer > xTrans( util::URLTransformer::create( mxContext ) );
+         xTrans->parseStrict( aTargetURL );
+ 
++        INetURLObject aURLObject(aTargetURL.Complete);
++        if (aURLObject.GetProtocol() == INetProtocol::Macro || aURLObject.isSchemeEqualTo(u"vnd.sun.star.script"))
++            return false;
++
+         uno::Reference<frame::XFramesSupplier> xParentFrame = xFrame->getCreator();
+         SfxObjectShell* pDoc = SfxMacroLoader::GetObjectShell(xParentFrame);
+ 
+-        if (INetURLObject(aTargetURL.Complete).GetProtocol() == INetProtocol::Macro)
+-        {
+-            if (pDoc && !pDoc->AdjustMacroMode())
+-                return false;
+-        }
+-
+         bool bUpdateAllowed(true);
+         if (pDoc)
+         {
+-            // perhaps should only check for file targets, but lets default to making it strong
+-            // unless there is a known need to distinguish
+             comphelper::EmbeddedObjectContainer& rEmbeddedObjectContainer = pDoc->getEmbeddedObjectContainer();
+             bUpdateAllowed = rEmbeddedObjectContainer.getUserAllowsLinkUpdate();
+         }
+-- 
+2.41.0
+
diff --git a/SOURCES/0004-CVE-2023-6186-reuse-AllowedLinkProtocolFromDocument-in-writer.patch b/SOURCES/0004-CVE-2023-6186-reuse-AllowedLinkProtocolFromDocument-in-writer.patch
new file mode 100644
index 0000000..b454135
--- /dev/null
+++ b/SOURCES/0004-CVE-2023-6186-reuse-AllowedLinkProtocolFromDocument-in-writer.patch
@@ -0,0 +1,281 @@
+From 6a69b533227ae22d97824317f14dfa6991959101 Mon Sep 17 00:00:00 2001
+Message-ID: <6a69b533227ae22d97824317f14dfa6991959101.1703086328.git.erack@redhat.com>
+In-Reply-To: <82752ccba78ecdbf94908377ec022f68ba7d9d59.1703086328.git.erack@redhat.com>
+References: <82752ccba78ecdbf94908377ec022f68ba7d9d59.1703086328.git.erack@redhat.com>
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolan.mcnamara@collabora.com>
+Date: Wed, 15 Nov 2023 11:39:24 +0000
+Subject: [PATCH 3/4] reuse AllowedLinkProtocolFromDocument in writer
+MIME-Version: 1.0
+Content-Type: multipart/mixed; boundary="------------erAck-patch-parts"
+
+This is a multi-part message in MIME format.
+--------------erAck-patch-parts
+Content-Type: text/plain; charset=UTF-8; format=fixed
+Content-Transfer-Encoding: 8bit
+
+
+reorg calc hyperlink check to reuse elsewhere
+
+Change-Id: I20ae3c5df15502c3a0a366fb4a2924c06ffac3d0
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159487
+Tested-by: Jenkins
+Reviewed-by: Caolán McNamara <caolan.mcnamara@collabora.com>
+(cherry picked from commit e6a7537762e19fde446441edd10d301f9b37ce75)
+
+reuse AllowedLinkProtocolFromDocument in writer
+
+Change-Id: Iacf5e313fc6ca5f7d69ca6986a036f0e1ab1f2a0
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159488
+Tested-by: Caolán McNamara <caolan.mcnamara@collabora.com>
+Reviewed-by: Caolán McNamara <caolan.mcnamara@collabora.com>
+(cherry picked from commit 32535dfa82200b54296838b52285c054fbe5e51d)
+
+combine these hyperlink dispatchers into one call
+
+Change-Id: Icb7822e811013de648ccf2fbb23a5f0be9e29bb0
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159489
+Tested-by: Caolán McNamara <caolan.mcnamara@collabora.com>
+Reviewed-by: Caolán McNamara <caolan.mcnamara@collabora.com>
+(cherry picked from commit 0df175ccc6ea542bc5801f631ff72bed187042eb)
+
+we can have just one LoadURL for writer
+
+Change-Id: Ia0162ee1c275292fcf200bad4662e4c2c6b7b972
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159557
+Tested-by: Jenkins
+Reviewed-by: Caolán McNamara <caolan.mcnamara@collabora.com>
+(cherry picked from commit 521ca9cf6acbae96cf95d9740859c9682212013d)
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159858
+Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
+Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
+(cherry picked from commit e32b8601dbd63cf01497889601d6c9c1241106d6)
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159883
+Signed-off-by: Xisco Fauli <xiscofauli@libreoffice.org>
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159913
+Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
+Reviewed-by: Eike Rathke <erack@redhat.com>
+---
+ include/sfx2/objsh.hxx               |  7 +++--
+ sc/source/core/data/global.cxx       | 32 ++---------------------
+ sfx2/source/doc/objmisc.cxx          | 27 ++++++++++++++++++++
+ sw/source/uibase/shells/drwtxtex.cxx |  8 ++----
+ sw/source/uibase/wrtsh/wrtsh2.cxx    | 38 ++++++++++++++++++----------
+ 5 files changed, 60 insertions(+), 52 deletions(-)
+
+
+--------------erAck-patch-parts
+Content-Type: text/x-patch; name="0003-reuse-AllowedLinkProtocolFromDocument-in-writer.patch"
+Content-Transfer-Encoding: 8bit
+Content-Disposition: attachment; filename="0003-reuse-AllowedLinkProtocolFromDocument-in-writer.patch"
+
+diff --git a/include/sfx2/objsh.hxx b/include/sfx2/objsh.hxx
+index fde0dba3d7c9..79f22c978dcb 100644
+--- a/include/sfx2/objsh.hxx
++++ b/include/sfx2/objsh.hxx
+@@ -200,6 +200,9 @@ private:
+ 
+     SAL_DLLPRIVATE bool SaveTo_Impl(SfxMedium &rMedium, const SfxItemSet* pSet );
+ 
++    // true if the document had macros (or similar) on load to trigger warning user
++    SAL_DLLPRIVATE bool  GetHadCheckedMacrosOnLoad() const;
++
+ protected:
+                                 SfxObjectShell(SfxObjectCreateMode);
+                                 SfxObjectShell(SfxModelFlags);    // see sfxmodelfactory.hxx
+@@ -427,8 +430,8 @@ public:
+     void                        SetMacroCallsSeenWhileLoading();
+     bool                        GetMacroCallsSeenWhileLoading() const;
+ 
+-    // true if the document had macros (or similar) on load to trigger warning user
+-    bool                        GetHadCheckedMacrosOnLoad() const;
++    // true if this type of link, from a document, is allowed by the user to be passed to uno:OpenDoc
++    static bool                 AllowedLinkProtocolFromDocument(const OUString& rUrl, SfxObjectShell* pObjShell, weld::Window* pDialogParent);
+ 
+     const css::uno::Sequence< css::beans::PropertyValue >& GetModifyPasswordInfo() const;
+     bool                        SetModifyPasswordInfo( const css::uno::Sequence< css::beans::PropertyValue >& aInfo );
+diff --git a/sc/source/core/data/global.cxx b/sc/source/core/data/global.cxx
+index 92caea1ea459..27c5a51a46c1 100644
+--- a/sc/source/core/data/global.cxx
++++ b/sc/source/core/data/global.cxx
+@@ -29,9 +29,7 @@
+ #include <sfx2/docfile.hxx>
+ #include <sfx2/dispatch.hxx>
+ #include <sfx2/objsh.hxx>
+-#include <sfx2/sfxresid.hxx>
+ #include <sfx2/sfxsids.hrc>
+-#include <sfx2/strings.hrc>
+ #include <sfx2/viewfrm.hxx>
+ #include <sfx2/viewsh.hxx>
+ #include <svl/intitem.hxx>
+@@ -856,34 +854,8 @@ void ScGlobal::OpenURL(const OUString& rURL, const OUString& rTarget, bool bIgno
+             aUrlName = aNewUrlName;
+     }
+ 
+-    if (INetURLObject(aUrlName).IsExoticProtocol())
+-    {
+-        // Default to ignoring exotic protocols
+-        bool bAllow = false;
+-        if (pObjShell)
+-        {
+-            // If the document had macros when loaded then follow the allowed macro-mode
+-            if (pObjShell->GetHadCheckedMacrosOnLoad())
+-                bAllow = pObjShell->AdjustMacroMode();
+-            else // otherwise ask the user, defaulting to cancel
+-            {
+-                assert(pFrame && "if we have pObjShell we have pFrame");
+-                //Reuse URITools::onOpenURI warning string
+-                std::unique_ptr<weld::MessageDialog> xQueryBox(Application::CreateMessageDialog(pFrame->GetFrameWeld(),
+-                                                               VclMessageType::Warning, VclButtonsType::YesNo,
+-                                                               SfxResId(STR_DANGEROUS_TO_OPEN)));
+-                xQueryBox->set_primary_text(xQueryBox->get_primary_text().replaceFirst("$(ARG1)",
+-                    INetURLObject::decode(aUrlName, INetURLObject::DecodeMechanism::Unambiguous)));
+-                xQueryBox->set_default_response(RET_NO);
+-                bAllow = xQueryBox->run() == RET_YES;
+-            }
+-        }
+-        if (!bAllow)
+-        {
+-            SAL_WARN("sc", "ScGlobal::OpenURL ignoring: " << aUrlName);
+-            return;
+-        }
+-    }
++    if (!SfxObjectShell::AllowedLinkProtocolFromDocument(aUrlName, pObjShell, pFrame ? pFrame->GetFrameWeld() : nullptr))
++        return;
+ 
+     SfxStringItem aUrl( SID_FILE_NAME, aUrlName );
+     SfxStringItem aTarget( SID_TARGETNAME, rTarget );
+diff --git a/sfx2/source/doc/objmisc.cxx b/sfx2/source/doc/objmisc.cxx
+index ddf95eeafe5e..8c76c3f0f4d6 100644
+--- a/sfx2/source/doc/objmisc.cxx
++++ b/sfx2/source/doc/objmisc.cxx
+@@ -962,6 +962,33 @@ bool SfxObjectShell::GetHadCheckedMacrosOnLoad() const
+     return pImpl->m_bHadCheckedMacrosOnLoad;
+ }
+ 
++bool SfxObjectShell::AllowedLinkProtocolFromDocument(const OUString& rUrl, SfxObjectShell* pObjShell, weld::Window* pDialogParent)
++{
++    if (!INetURLObject(rUrl).IsExoticProtocol())
++        return true;
++    // Default to ignoring exotic protocols
++    bool bAllow = false;
++    if (pObjShell)
++    {
++        // If the document had macros when loaded then follow the allowed macro-mode
++        if (pObjShell->GetHadCheckedMacrosOnLoad())
++            bAllow = pObjShell->AdjustMacroMode();
++        else // otherwise ask the user, defaulting to cancel
++        {
++            //Reuse URITools::onOpenURI warning string
++            std::unique_ptr<weld::MessageDialog> xQueryBox(Application::CreateMessageDialog(pDialogParent,
++                                                           VclMessageType::Warning, VclButtonsType::YesNo,
++                                                           SfxResId(STR_DANGEROUS_TO_OPEN)));
++            xQueryBox->set_primary_text(xQueryBox->get_primary_text().replaceFirst("$(ARG1)",
++                INetURLObject::decode(rUrl, INetURLObject::DecodeMechanism::Unambiguous)));
++            xQueryBox->set_default_response(RET_NO);
++            bAllow = xQueryBox->run() == RET_YES;
++        }
++    }
++    SAL_WARN_IF(!bAllow, "sfx.appl", "SfxObjectShell::AllowedLinkProtocolFromDocument ignoring: " << rUrl);
++    return bAllow;
++}
++
+ void SfxObjectShell::CheckEncryption_Impl( const uno::Reference< task::XInteractionHandler >& xHandler )
+ {
+     OUString aVersion;
+diff --git a/sw/source/uibase/shells/drwtxtex.cxx b/sw/source/uibase/shells/drwtxtex.cxx
+index c84ee7bd9af4..c51f501841ad 100644
+--- a/sw/source/uibase/shells/drwtxtex.cxx
++++ b/sw/source/uibase/shells/drwtxtex.cxx
+@@ -533,12 +533,8 @@ void SwDrawTextShell::Execute( SfxRequest &rReq )
+             const SvxFieldData* pField = pOLV->GetFieldAtCursor();
+             if (const SvxURLField* pURLField = dynamic_cast<const SvxURLField*>(pField))
+             {
+-                SfxStringItem aUrl(SID_FILE_NAME, pURLField->GetURL());
+-                SfxStringItem aTarget(SID_TARGETNAME, pURLField->GetTargetFrame());
+-                SfxBoolItem aNewView(SID_OPEN_NEW_VIEW, false);
+-                SfxBoolItem aBrowsing(SID_BROWSE, true);
+-                GetView().GetViewFrame()->GetDispatcher()->ExecuteList(
+-                    SID_OPENDOC, SfxCallMode::SYNCHRON, { &aUrl, &aTarget, &aNewView, &aBrowsing });
++                ::LoadURL(GetShell(), pURLField->GetURL(), LoadUrlFlags::NONE,
++                          pURLField->GetTargetFrame());
+             }
+         }
+         break;
+diff --git a/sw/source/uibase/wrtsh/wrtsh2.cxx b/sw/source/uibase/wrtsh/wrtsh2.cxx
+index 1995e7133c4a..d781823e82ec 100644
+--- a/sw/source/uibase/wrtsh/wrtsh2.cxx
++++ b/sw/source/uibase/wrtsh/wrtsh2.cxx
+@@ -501,30 +501,24 @@ bool SwWrtShell::ClickToINetGrf( const Point& rDocPt, LoadUrlFlags nFilter )
+     return bRet;
+ }
+ 
+-void LoadURL( SwViewShell& rVSh, const OUString& rURL, LoadUrlFlags nFilter,
+-              const OUString& rTargetFrameName )
++static void LoadURL(SwView& rView, const OUString& rURL, LoadUrlFlags nFilter,
++                    const OUString& rTargetFrameName)
+ {
+-    OSL_ENSURE( !rURL.isEmpty(), "what should be loaded here?" );
+-    if( rURL.isEmpty() )
+-        return ;
++    SwDocShell* pDShell = rView.GetDocShell();
++    OSL_ENSURE( pDShell, "No DocShell?!");
++    SfxViewFrame* pViewFrame = rView.GetViewFrame();
+ 
+-    // The shell could be 0 also!!!!!
+-    if ( dynamic_cast<const SwCursorShell*>( &rVSh) ==  nullptr )
++    if (!SfxObjectShell::AllowedLinkProtocolFromDocument(rURL, pDShell, pViewFrame->GetFrameWeld()))
+         return;
+ 
+     // We are doing tiledRendering, let the client handles the URL loading,
+     // unless we are jumping to a TOC mark.
+     if (comphelper::LibreOfficeKit::isActive() && !rURL.startsWith("#"))
+     {
+-        rVSh.GetSfxViewShell()->libreOfficeKitViewCallback(LOK_CALLBACK_HYPERLINK_CLICKED, rURL.toUtf8().getStr());
++        rView.libreOfficeKitViewCallback(LOK_CALLBACK_HYPERLINK_CLICKED, rURL.toUtf8().getStr());
+         return;
+     }
+ 
+-    //A CursorShell is always a WrtShell
+-    SwWrtShell &rSh = static_cast<SwWrtShell&>(rVSh);
+-
+-    SwDocShell* pDShell = rSh.GetView().GetDocShell();
+-    OSL_ENSURE( pDShell, "No DocShell?!");
+     OUString sTargetFrame(rTargetFrameName);
+     if (sTargetFrame.isEmpty() && pDShell)
+     {
+@@ -539,7 +533,6 @@ void LoadURL( SwViewShell& rVSh, const OUString& rURL, LoadUrlFlags nFilter,
+     OUString sReferer;
+     if( pDShell && pDShell->GetMedium() )
+         sReferer = pDShell->GetMedium()->GetName();
+-    SfxViewFrame* pViewFrame = rSh.GetView().GetViewFrame();
+     SfxFrameItem aView( SID_DOCFRAME, pViewFrame );
+     SfxStringItem aName( SID_FILE_NAME, rURL );
+     SfxStringItem aTargetFrameName( SID_TARGETNAME, sTargetFrame );
+@@ -565,6 +558,23 @@ void LoadURL( SwViewShell& rVSh, const OUString& rURL, LoadUrlFlags nFilter,
+             SfxCallMode::ASYNCHRON|SfxCallMode::RECORD );
+ }
+ 
++void LoadURL( SwViewShell& rVSh, const OUString& rURL, LoadUrlFlags nFilter,
++              const OUString& rTargetFrameName )
++{
++    OSL_ENSURE( !rURL.isEmpty(), "what should be loaded here?" );
++    if( rURL.isEmpty() )
++        return ;
++
++    // The shell could be 0 also!!!!!
++    if ( dynamic_cast<const SwCursorShell*>( &rVSh) ==  nullptr )
++        return;
++
++    //A CursorShell is always a WrtShell
++    SwWrtShell &rSh = static_cast<SwWrtShell&>(rVSh);
++
++    ::LoadURL(rSh.GetView(), rURL, nFilter, rTargetFrameName);
++}
++
+ void SwWrtShell::NavigatorPaste( const NaviContentBookmark& rBkmk,
+                                     const sal_uInt16 nAction )
+ {
+
+--------------erAck-patch-parts--
+
+
diff --git a/SOURCES/0005-CVE-2023-6186-reuse-AllowedLinkProtocolFromDocument-in-impress-dra.patch b/SOURCES/0005-CVE-2023-6186-reuse-AllowedLinkProtocolFromDocument-in-impress-dra.patch
new file mode 100644
index 0000000..f7564d9
--- /dev/null
+++ b/SOURCES/0005-CVE-2023-6186-reuse-AllowedLinkProtocolFromDocument-in-impress-dra.patch
@@ -0,0 +1,87 @@
+From 62ba88176c10469588e4bbb73cbf33889df08dbc Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolan.mcnamara@collabora.com>
+Date: Wed, 22 Nov 2023 21:14:41 +0000
+Subject: [PATCH] reuse AllowedLinkProtocolFromDocument in impress/draw
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Change-Id: I73ca4f087946a45dbf92d69a0dc1e769de9b5690
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159843
+Tested-by: Jenkins
+Reviewed-by: Caolán McNamara <caolan.mcnamara@collabora.com>
+(cherry picked from commit f0942eed2eb328b04856f20613f5226d66b66a20)
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159759
+Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
+Signed-off-by: Xisco Fauli <xiscofauli@libreoffice.org>
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159884
+Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
+Signed-off-by: Xisco Fauli <xiscofauli@libreoffice.org>
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159914
+Reviewed-by: Eike Rathke <erack@redhat.com>
+
+erAck: backported to 6.4.7.2
+
+---
+ sd/source/ui/app/sdmod1.cxx | 29 ++++++++++++++++++-----------
+ 1 file changed, 18 insertions(+), 11 deletions(-)
+
+diff --git a/sd/source/ui/app/sdmod1.cxx b/sd/source/ui/app/sdmod1.cxx
+index 3d84ddb..8d42653 100644
+--- a/sd/source/ui/app/sdmod1.cxx
++++ b/sd/source/ui/app/sdmod1.cxx
+@@ -32,6 +32,7 @@
+ #include <sfx2/dispatch.hxx>
+ #include <sfx2/request.hxx>
+ #include <sfx2/templatedlg.hxx>
++#include <svl/stritem.hxx>
+ #include <editeng/eeitem.hxx>
+ 
+ #include <svx/svxids.hrc>
+@@ -193,26 +194,32 @@ void SdModule::Execute(SfxRequest& rReq)
+         {
+             bool bIntercept = false;
+             ::sd::DrawDocShell* pDocShell = dynamic_cast< ::sd::DrawDocShell *>( SfxObjectShell::Current() );
+-            if (pDocShell)
++            ::sd::ViewShell* pViewShell = pDocShell ? pDocShell->GetViewShell() : nullptr;
++            if (pViewShell)
+             {
+-                ::sd::ViewShell* pViewShell = pDocShell->GetViewShell();
+-                if (pViewShell)
++                if( sd::SlideShow::IsRunning( pViewShell->GetViewShellBase() ) )
+                 {
+-                    if( sd::SlideShow::IsRunning( pViewShell->GetViewShellBase() ) )
++                    // Prevent documents from opening while the slide
++                    // show is running, except when this request comes
++                    // from a shape interaction.
++                    if (rReq.GetArgs() == nullptr)
+                     {
+-                        // Prevent documents from opening while the slide
+-                        // show is running, except when this request comes
+-                        // from a shape interaction.
+-                        if (rReq.GetArgs() == nullptr)
+-                        {
+-                            bIntercept = true;
+-                        }
++                        bIntercept = true;
+                     }
+                 }
+             }
+ 
+             if (!bIntercept)
+             {
++                if (const SfxStringItem* pURLItem = rReq.GetArg<SfxStringItem>(SID_FILE_NAME))
++                {
++                    if (!pViewShell || !SfxObjectShell::AllowedLinkProtocolFromDocument(pURLItem->GetValue(),
++                                                                                        pViewShell->GetObjectShell(),
++                                                                                        pViewShell->GetFrameWeld()))
++                    {
++                        return;
++                    }
++                }
+                 SfxGetpApp()->ExecuteSlot(rReq, SfxGetpApp()->GetInterface());
+             }
+             else
+-- 
+2.43.0
+
diff --git a/SOURCES/0006-CVE-2023-6186-backporting.patch b/SOURCES/0006-CVE-2023-6186-backporting.patch
new file mode 100644
index 0000000..ca5ab77
--- /dev/null
+++ b/SOURCES/0006-CVE-2023-6186-backporting.patch
@@ -0,0 +1,65 @@
+From a255a9c69d35df27e92349ea5bb9cb8d6c46d97f Mon Sep 17 00:00:00 2001
+From: rpmbuild <rpmbuild@fedoraproject.org>
+Date: Fri, 8 Mar 2024 17:51:24 +0100
+Subject: [PATCH] CVE-2023-6186 backporting
+
+Add dialog text string STR_DANGEROUS_TO_OPEN
+as per upstream commit 70009098fd70df021048c540d1796c928554b494
+
+SfxViewFrame doesn't have GetFrameWeld() yet, get from Window.
+---
+ include/sfx2/strings.hrc          | 1 +
+ sc/source/core/data/global.cxx    | 4 +++-
+ sw/source/uibase/wrtsh/wrtsh2.cxx | 2 +-
+ 3 files changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/include/sfx2/strings.hrc b/include/sfx2/strings.hrc
+index 1db36e7..29950ba 100644
+--- a/include/sfx2/strings.hrc
++++ b/include/sfx2/strings.hrc
+@@ -103,6 +103,7 @@
+ #define STR_GB                                  NC_("STR_GB", "GB")
+ #define STR_QUERY_LASTVERSION                   NC_("STR_QUERY_LASTVERSION", "Cancel all changes?")
+ #define STR_NO_WEBBROWSER_FOUND                 NC_("STR_NO_WEBBROWSER_FOUND", "Opening \"$(ARG1)\" failed with error code $(ARG2) and message: \"$(ARG3)\"\nMaybe no web browser could be found on your system. In that case, please check your Desktop Preferences or install a web browser (for example, Firefox) in the default location requested during the browser installation.")
++#define STR_DANGEROUS_TO_OPEN                   NC_("STR_DANGEROUS_TO_OPEN", "It might be dangerous to open \"$(ARG1)\".\nDo you really want to open it?")
+ #define STR_NO_ABS_URI_REF                      NC_("STR_NO_ABS_URI_REF", "\"$(ARG1)\" is not an absolute URL that can be passed to an external application to open it.")
+ #define STR_GID_INTERN                          NC_("STR_GID_INTERN", "Internal")
+ #define STR_GID_APPLICATION                     NC_("STR_GID_APPLICATION", "Application")
+diff --git a/sc/source/core/data/global.cxx b/sc/source/core/data/global.cxx
+index b16be6b..3295a38 100644
+--- a/sc/source/core/data/global.cxx
++++ b/sc/source/core/data/global.cxx
+@@ -37,6 +37,8 @@
+ #include <vcl/virdev.hxx>
+ #include <vcl/settings.hxx>
+ #include <vcl/svapp.hxx>
++#include <vcl/weld.hxx>
++#include <vcl/window.hxx>
+ #include <unotools/charclass.hxx>
+ #include <unotools/securityoptions.hxx>
+ #include <osl/diagnose.h>
+@@ -823,7 +825,7 @@ void ScGlobal::OpenURL(const OUString& rURL, const OUString& rTarget, bool bIgno
+             aUrlName = aNewUrlName;
+     }
+ 
+-    if (!SfxObjectShell::AllowedLinkProtocolFromDocument(aUrlName, pObjShell, pFrame ? pFrame->GetFrameWeld() : nullptr))
++    if (!SfxObjectShell::AllowedLinkProtocolFromDocument(aUrlName, pObjShell, pFrame ? pFrame->GetWindow().GetFrameWeld() : nullptr))
+         return;
+ 
+     SfxStringItem aUrl( SID_FILE_NAME, aUrlName );
+diff --git a/sw/source/uibase/wrtsh/wrtsh2.cxx b/sw/source/uibase/wrtsh/wrtsh2.cxx
+index 41f427a..543644d 100644
+--- a/sw/source/uibase/wrtsh/wrtsh2.cxx
++++ b/sw/source/uibase/wrtsh/wrtsh2.cxx
+@@ -495,7 +495,7 @@ static void LoadURL(SwView& rView, const OUString& rURL, LoadUrlFlags nFilter,
+     OSL_ENSURE( pDShell, "No DocShell?!");
+     SfxViewFrame* pViewFrame = rView.GetViewFrame();
+ 
+-    if (!SfxObjectShell::AllowedLinkProtocolFromDocument(rURL, pDShell, pViewFrame->GetFrameWeld()))
++    if (!SfxObjectShell::AllowedLinkProtocolFromDocument(rURL, pDShell, pViewFrame->GetWindow().GetFrameWeld()))
+         return;
+ 
+     // We are doing tiledRendering, let the client handles the URL loading,
+-- 
+2.43.0
+
diff --git a/SPECS/libreoffice.spec b/SPECS/libreoffice.spec
index 37d328b..4dc8374 100644
--- a/SPECS/libreoffice.spec
+++ b/SPECS/libreoffice.spec
@@ -54,7 +54,7 @@ Summary:        Free Software Productivity Suite
 Name:           libreoffice
 Epoch:          1
 Version:        %{libo_version}.2
-Release:        13%{?libo_prerelease}%{?dist}.alma
+Release:        16%{?libo_prerelease}%{?dist}.alma.1
 License:        (MPLv1.1 or LGPLv3+) and LGPLv3 and LGPLv2+ and BSD and (MPLv1.1 or GPLv2 or LGPLv2 or Netscape) and Public Domain and ASL 2.0 and MPLv2.0 and CC0
 URL:            http://www.libreoffice.org/
 
@@ -285,6 +285,22 @@ Patch41: 0002-CVE-2022-26307-make-hash-encoding-match-decoding.patch
 Patch42: 0003-CVE-2022-26306-add-Initialization-Vectors-to-passwor.patch
 Patch43: 0004-CVE-2022-2630-6-7-add-infobar-to-prompt-to-refresh-t.patch
 Patch44: 0001-CVE-2022-3140.patch
+Patch45: 0001-CVE-2022-38745.patch
+Patch46: 0001-Obtain-actual-0-parameter-count-for-OR-AND-and-1-par.patch
+Patch47: 0002-Stack-check-safety-belt-before-fishing-in-muddy-wate.patch
+Patch48: 0003-Always-push-a-result-even-if-it-s-only-an-error.patch
+Patch49: 0001-set-Referer-on-loading-IFrames.patch
+Patch50: 0002-put-floating-frames-under-managed-links-control.patch
+Patch51: 0003-assume-IFrame-script-macro-support-isn-t-needed.patch
+Patch52: 0001-disable-script-dump.patch
+# Patches were taken from the latest OL release
+Patch53: 0001-CVE-2023-6185-escape-url-passed-to-gstreamer.patch
+Patch54: 0001-CVE-2023-6186-add-some-protocols-that-don-t-make-sense-as-floating.patch
+Patch55: 0002-CVE-2023-6186-warn-about-exotic-protocols-as-well.patch
+Patch56: 0003-CVE-2023-6186-default-to-ignoring-libreoffice-special-purpose-prot.patch
+Patch57: 0004-CVE-2023-6186-reuse-AllowedLinkProtocolFromDocument-in-writer.patch
+Patch58: 0005-CVE-2023-6186-reuse-AllowedLinkProtocolFromDocument-in-impress-dra.patch
+Patch59: 0006-CVE-2023-6186-backporting.patch
 
 %if 0%{?rhel}
 # not upstreamed
@@ -377,7 +393,7 @@ Requires: %{name}-pyuno%{?_isa} = %{epoch}:%{version}-%{release}
 Requires: %{name}-ure%{?_isa} = %{epoch}:%{version}-%{release}
 
 %description base
-GUI database front-end for LibreOffice. Allows creation and management of 
+GUI database front-end for LibreOffice. Allows creation and management of
 databases through a GUI.
 
 %if 0%{?fedora}
@@ -461,7 +477,7 @@ BuildArch: noarch
 
 %description %{fontname}-fonts
 A dingbats font, OpenSymbol, suitable for use by LibreOffice for bullets and
-mathematical symbols. 
+mathematical symbols.
 
 %package writer
 Summary: LibreOffice Word Processor Application
@@ -475,7 +491,7 @@ Requires: %{name}-ure%{?_isa} = %{epoch}:%{version}-%{release}
 The LibreOffice Word Processor application.
 
 %package emailmerge
-Summary: Email mail-merge component for LibreOffice 
+Summary: Email mail-merge component for LibreOffice
 Requires: %{name}-writer%{?_isa} = %{epoch}:%{version}-%{release}
 Requires: %{name}-pyuno%{?_isa} = %{epoch}:%{version}-%{release}
 
@@ -525,7 +541,7 @@ Requires: %{name}-pdfimport%{?_isa} = %{epoch}:%{version}-%{release}
 Requires: %{name}-pyuno%{?_isa} = %{epoch}:%{version}-%{release}
 Requires: %{name}-ure%{?_isa} = %{epoch}:%{version}-%{release}
 
-%description math 
+%description math
 The LibreOffice Equation Editor Application.
 
 %package graphicfilter
@@ -1032,7 +1048,11 @@ sed -i -e /CppunitTest_sal_osl/d sal/Module_sal.mk
 sed -i -e /CppunitTest_dbaccess_hsqlbinary_import/d dbaccess/Module_dbaccess.mk
 sed -i -e /CppunitTest_vcl_svm_test/d vcl/Module_vcl.mk
 sed -i -e /CustomTarget_uno_test/d testtools/Module_testtools.mk
+sed -i -e /CppunitTest_sw_htmlexport/d sw/Module_sw.mk
 %endif
+# Broken with system nss. See also upstream commit ac519af951541b7313a4c98e1bee463bf47356be
+sed -i -e '/^\s*CPPUNIT_TEST(testInsertCertificate_PEM_ODT);/d' desktop/qa/desktop_lib/test_desktop_lib.cxx
+sed -i -e '/^\s*CPPUNIT_TEST(testInsertCertificate_PEM_DOCX);/d' desktop/qa/desktop_lib/test_desktop_lib.cxx
 
 git commit -q -a -m 'temporarily disable failing tests'
 
@@ -1234,7 +1254,7 @@ pushd %{buildroot}%{baseinstdir}/share/autocorr
 
 %make_autocorr_aliases -l en-GB en-AG en-AU en-BS en-BW en-BZ en-CA en-DK en-GH en-HK en-IE en-IN en-JM en-NG en-NZ en-SG en-TT
 %make_autocorr_aliases -l en-US en-PH
-#en-ZA exists and has a good autocorrect file with two or three extras that make sense for 
+#en-ZA exists and has a good autocorrect file with two or three extras that make sense for
 #neighbouring english speaking territories
 %make_autocorr_aliases -l en-ZA en-NA en-ZW
 %if %{with langpacks}
@@ -1289,7 +1309,7 @@ rm -f %{buildroot}%{baseinstdir}/CREDITS.fodt %{buildroot}%{baseinstdir}/LICENSE
 ln -sr %{buildroot}%{lodatadocdir}/CREDITS.fodt %{buildroot}%{baseinstdir}/CREDITS.fodt
 ln -sr %{buildroot}%{lodatadocdir}/LICENSE.html %{buildroot}%{baseinstdir}/LICENSE.html
 
-#ensure that no sneaky un-prelinkable, un-fpic or non executable shared libs 
+#ensure that no sneaky un-prelinkable, un-fpic or non executable shared libs
 #have snuck through
 pic=0
 executable=0
@@ -1481,13 +1501,13 @@ export DESTDIR=%{buildroot}
 #
 appstream-util replace-screenshots %{buildroot}%{_datadir}/metainfo/libreoffice-writer.appdata.xml \
   https://raw.githubusercontent.com/hughsie/fedora-appstream/master/screenshots-extra/libreoffice-writer/a.png \
-  https://raw.githubusercontent.com/hughsie/fedora-appstream/master/screenshots-extra/libreoffice-writer/b.png 
+  https://raw.githubusercontent.com/hughsie/fedora-appstream/master/screenshots-extra/libreoffice-writer/b.png
 appstream-util replace-screenshots %{buildroot}%{_datadir}/metainfo/libreoffice-calc.appdata.xml \
-  https://raw.githubusercontent.com/hughsie/fedora-appstream/master/screenshots-extra/libreoffice-calc/a.png 
+  https://raw.githubusercontent.com/hughsie/fedora-appstream/master/screenshots-extra/libreoffice-calc/a.png
 appstream-util replace-screenshots %{buildroot}%{_datadir}/metainfo/libreoffice-draw.appdata.xml \
-  https://raw.githubusercontent.com/hughsie/fedora-appstream/master/screenshots-extra/libreoffice-draw/a.png 
+  https://raw.githubusercontent.com/hughsie/fedora-appstream/master/screenshots-extra/libreoffice-draw/a.png
 appstream-util replace-screenshots %{buildroot}%{_datadir}/metainfo/libreoffice-impress.appdata.xml \
-  https://raw.githubusercontent.com/hughsie/fedora-appstream/master/screenshots-extra/libreoffice-impress/a.png 
+  https://raw.githubusercontent.com/hughsie/fedora-appstream/master/screenshots-extra/libreoffice-impress/a.png
 %endif
 %if 0%{?flatpak}
 # Assemble the libreoffice-*.appdata.xml files into a single
@@ -2276,8 +2296,30 @@ done
 %{_includedir}/LibreOfficeKit
 
 %changelog
-* Tue May 16 2023 Andrew Lukoshko <alukoshko@almalinux.org> - 1:6.4.7.2-13.alma
-- Debrand About window and palette
+* Fri Mar 29 2024 Eduard Abdullin <eabdullin@almalinux.org> - 1:6.4.7.2-16.alma.1
+- escape url passed to gstreamer
+- add some protocols that don't make sense as floating frame
+ targets
+- warn about exotic protocols as well
+- default to ignoring libreoffice special-purpose protocols
+ in calc hyperlink
+- reuse AllowedLinkProtocolFromDocument in writer
+- reuse AllowedLinkProtocolFromDocument in impress/draw
+- CVE-2023-6186 backporting
+
+* Mon Mar 11 2024 Eike Rathke <erack@redhat.com> - 1:6.4.7.2-16
+- Fix CVE-2023-6185 escape url passed to gstreamer
+- Fix CVE-2023-6186 check link target protocols
+
+* Mon Jun 19 2023 Stephan Bergmann <sbergman@redhat.com> - 1:6.4.7.2-15
+- Resolves: rhbz#2210191 CVE-2023-0950 Array Index UnderFlow in Calc Formula
+  Parsing
+- Resolves: rhbz#2210195 CVE-2023-2255 libreoffice: Remote documents loaded
+  without prompt via IFrame
+- Resolves: rhbz#2208509 CVE-2023-1183 libreoffice: Arbitrary File Write
+
+* Wed Apr 12 2023 Caolán McNamara <caolanm@redhat.com> - 1:6.4.7.2-14
+- Resolves: rhbz#2182390 CVE-2022-38745 Empty entry in Java class path
 
 * Mon Nov 21 2022 Stephan Bergmann <sbergman@redhat.com> - 1:6.4.7.2-13
 - Resolves: rhbz#2031681 Failure saving to smb share
@@ -2290,6 +2332,7 @@ done
 
 * Mon Mar 07 2022 Caolán McNamara <caolanm@redhat.com> - 1:6.4.7.2-11
 - Resolves: rhbz#2060559 CVE-2021-25636
+
 * Mon Feb 07 2022 Caolán McNamara <caolanm@redhat.com> - 1:6.4.7.2-10
 - Related: rhbz#2029810  bump n-v-r
 
@@ -4082,7 +4125,7 @@ done
 
 * Wed Oct 19 2011 Caolán McNamara <caolanm@redhat.com> - 3.4.3.2-14
 - Related: rhbz#743750 addXineramaScreenUnique issue
- 
+
 * Fri Oct 07 2011 Stephan Bergmann <sbergman@redhat.com> - 3.4.3.2-13
 - Patches to build with GCC 6.4.1