Resolves: rhbz#2134761 Macro URL arbitrary script execution
This commit is contained in:
parent
4dcf3f22f5
commit
72b95f2e0e
292
0005-CVE-2022-3140-Filter-out-unwanted-command-URIs.patch
Normal file
292
0005-CVE-2022-3140-Filter-out-unwanted-command-URIs.patch
Normal file
@ -0,0 +1,292 @@
|
|||||||
|
From 86c29694ddf10b51ecd76b4f1397d798f62cc709 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Stephan Bergmann <sbergman@redhat.com>
|
||||||
|
Date: Tue, 30 Aug 2022 14:04:52 +0200
|
||||||
|
Subject: [PATCH 5/5] CVE-2022-3140 Filter out unwanted command URIs
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/139225
|
||||||
|
Tested-by: Jenkins
|
||||||
|
Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
|
||||||
|
(cherry picked from commit 27d29f7df428885865a8e2313283839b20f2a34b)
|
||||||
|
Conflicts:
|
||||||
|
desktop/source/app/cmdlineargs.cxx
|
||||||
|
|
||||||
|
Change-Id: I0b7e5329af8cc053d14d5c60ec14fe7f364ef993
|
||||||
|
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/139182
|
||||||
|
Tested-by: Jenkins
|
||||||
|
Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
|
||||||
|
(cherry picked from commit da291e2960b75153f41d440a1b41961567432e8c)
|
||||||
|
|
||||||
|
These commands are always URLs already
|
||||||
|
|
||||||
|
Change-Id: I5083765c879689d7f933bbe00ad70bb68e635a21
|
||||||
|
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/139042
|
||||||
|
Tested-by: Jean-Pierre Ledure <jp@ledure.be>
|
||||||
|
Tested-by: Jenkins
|
||||||
|
Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
|
||||||
|
(cherry picked from commit e61701e1ee6763de72b397e6ade1124eca9400f3)
|
||||||
|
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/138980
|
||||||
|
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
|
||||||
|
(cherry picked from commit 5b4025bb56999f5c895c6f7e0b52f521800d65b0)
|
||||||
|
|
||||||
|
check IFrame "FrameURL" target
|
||||||
|
|
||||||
|
similiar to
|
||||||
|
|
||||||
|
commit b3edf85e0fe6ca03dc26e1bf531be82193bc9627
|
||||||
|
Date: Wed Aug 7 17:37:11 2019 +0100
|
||||||
|
|
||||||
|
warn on load when a document binds an event to a macro
|
||||||
|
|
||||||
|
Change-Id: Iea888b1c083d2dc69ec322309ac9ae8c5e5eb315
|
||||||
|
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/139059
|
||||||
|
Tested-by: Jenkins
|
||||||
|
Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
|
||||||
|
(cherry picked from commit c7450d0b9d02c64ae3da467d329040787039767e)
|
||||||
|
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/139117
|
||||||
|
Reviewed-by: Christian Lohmaier <lohmaier+LibreOffice@googlemail.com>
|
||||||
|
(cherry picked from commit f5e3b0a7966d7d28817292adbb58fb43f28b7c6d)
|
||||||
|
|
||||||
|
check impress/calc IFrame "FrameURL" target
|
||||||
|
|
||||||
|
similar to
|
||||||
|
|
||||||
|
commit c7450d0b9d02c64ae3da467d329040787039767e
|
||||||
|
Date: Tue Aug 30 17:01:08 2022 +0100
|
||||||
|
|
||||||
|
check IFrame "FrameURL" target
|
||||||
|
|
||||||
|
Change-Id: Ibf28c29acb4476830431d02772f3ecd4b23a6a27
|
||||||
|
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/139495
|
||||||
|
Tested-by: Jenkins
|
||||||
|
Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
|
||||||
|
(cherry picked from commit d0312786571221c2dd4f63fa69f6f0489d7d39ec)
|
||||||
|
---
|
||||||
|
desktop/source/app/cmdlineargs.cxx | 10 +++++++++-
|
||||||
|
sfx2/source/appl/macroloader.cxx | 9 +++++++--
|
||||||
|
sfx2/source/doc/iframe.cxx | 21 ++++++++++++++++-----
|
||||||
|
sfx2/source/inc/macroloader.hxx | 2 ++
|
||||||
|
sw/source/filter/html/htmlplug.cxx | 7 ++++++-
|
||||||
|
sw/source/filter/xml/xmltexti.cxx | 9 +++++++--
|
||||||
|
wizards/source/access2base/DoCmd.xba | 2 +-
|
||||||
|
wizards/source/scriptforge/SF_Session.xba | 2 +-
|
||||||
|
xmloff/source/draw/ximpshap.cxx | 4 ++++
|
||||||
|
9 files changed, 53 insertions(+), 13 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/desktop/source/app/cmdlineargs.cxx b/desktop/source/app/cmdlineargs.cxx
|
||||||
|
index 4d5a3bb78396..93d9e8742ba8 100644
|
||||||
|
--- a/desktop/source/app/cmdlineargs.cxx
|
||||||
|
+++ b/desktop/source/app/cmdlineargs.cxx
|
||||||
|
@@ -28,6 +28,7 @@
|
||||||
|
#include "cmdlineargs.hxx"
|
||||||
|
#include <osl/thread.hxx>
|
||||||
|
#include <tools/stream.hxx>
|
||||||
|
+#include <tools/urlobj.hxx>
|
||||||
|
#include <rtl/ustring.hxx>
|
||||||
|
#include <rtl/process.h>
|
||||||
|
#include <comphelper/lok.hxx>
|
||||||
|
@@ -166,7 +167,14 @@ CommandLineEvent CheckOfficeURI(/* in,out */ OUString& arg, CommandLineEvent cur
|
||||||
|
}
|
||||||
|
if (nURIlen < 0)
|
||||||
|
nURIlen = rest2.getLength();
|
||||||
|
- arg = rest2.copy(0, nURIlen);
|
||||||
|
+ auto const uri = rest2.copy(0, nURIlen);
|
||||||
|
+ if (INetURLObject(uri).GetProtocol() == INetProtocol::Macro) {
|
||||||
|
+ // Let the "Open" machinery process the full command URI (leading to failure, by intention,
|
||||||
|
+ // as the "Open" machinery does not know about those command URI schemes):
|
||||||
|
+ curEvt = CommandLineEvent::Open;
|
||||||
|
+ } else {
|
||||||
|
+ arg = uri;
|
||||||
|
+ }
|
||||||
|
return curEvt;
|
||||||
|
}
|
||||||
|
|
||||||
|
diff --git a/sfx2/source/appl/macroloader.cxx b/sfx2/source/appl/macroloader.cxx
|
||||||
|
index 46090f712665..ad70ef5fa0f6 100644
|
||||||
|
--- a/sfx2/source/appl/macroloader.cxx
|
||||||
|
+++ b/sfx2/source/appl/macroloader.cxx
|
||||||
|
@@ -68,10 +68,10 @@ css::uno::Sequence<OUString> SAL_CALL SfxMacroLoader::getSupportedServiceNames()
|
||||||
|
return { "com.sun.star.frame.ProtocolHandler" };
|
||||||
|
}
|
||||||
|
|
||||||
|
-SfxObjectShell* SfxMacroLoader::GetObjectShell_Impl()
|
||||||
|
+SfxObjectShell* SfxMacroLoader::GetObjectShell(const Reference <XFrame>& xFrame)
|
||||||
|
{
|
||||||
|
SfxObjectShell* pDocShell = nullptr;
|
||||||
|
- Reference < XFrame > xFrame( m_xFrame.get(), UNO_QUERY );
|
||||||
|
+
|
||||||
|
if ( xFrame.is() )
|
||||||
|
{
|
||||||
|
SfxFrame* pFrame=nullptr;
|
||||||
|
@@ -88,6 +88,11 @@ SfxObjectShell* SfxMacroLoader::GetObjectShell_Impl()
|
||||||
|
return pDocShell;
|
||||||
|
}
|
||||||
|
|
||||||
|
+SfxObjectShell* SfxMacroLoader::GetObjectShell_Impl()
|
||||||
|
+{
|
||||||
|
+ Reference < XFrame > xFrame( m_xFrame.get(), UNO_QUERY );
|
||||||
|
+ return SfxMacroLoader::GetObjectShell(xFrame);
|
||||||
|
+}
|
||||||
|
|
||||||
|
uno::Reference<frame::XDispatch> SAL_CALL SfxMacroLoader::queryDispatch(
|
||||||
|
const util::URL& aURL ,
|
||||||
|
diff --git a/sfx2/source/doc/iframe.cxx b/sfx2/source/doc/iframe.cxx
|
||||||
|
index e37607c91a46..3f9036a79b04 100644
|
||||||
|
--- a/sfx2/source/doc/iframe.cxx
|
||||||
|
+++ b/sfx2/source/doc/iframe.cxx
|
||||||
|
@@ -38,10 +38,12 @@
|
||||||
|
#include <officecfg/Office/Common.hxx>
|
||||||
|
#include <svl/itemprop.hxx>
|
||||||
|
#include <sfx2/frmdescr.hxx>
|
||||||
|
+#include <sfx2/objsh.hxx>
|
||||||
|
#include <sfx2/sfxdlg.hxx>
|
||||||
|
#include <toolkit/helper/vclunohelper.hxx>
|
||||||
|
#include <vcl/window.hxx>
|
||||||
|
#include <tools/debug.hxx>
|
||||||
|
+#include <macroloader.hxx>
|
||||||
|
|
||||||
|
using namespace ::com::sun::star;
|
||||||
|
|
||||||
|
@@ -157,6 +159,19 @@ sal_Bool SAL_CALL IFrameObject::load(
|
||||||
|
{
|
||||||
|
if ( officecfg::Office::Common::Misc::PluginsEnabled::get() )
|
||||||
|
{
|
||||||
|
+ util::URL aTargetURL;
|
||||||
|
+ aTargetURL.Complete = maFrmDescr.GetURL().GetMainURL( INetURLObject::DecodeMechanism::NONE );
|
||||||
|
+ uno::Reference < util::XURLTransformer > xTrans( util::URLTransformer::create( mxContext ) );
|
||||||
|
+ xTrans->parseStrict( aTargetURL );
|
||||||
|
+
|
||||||
|
+ if (INetURLObject(aTargetURL.Complete).GetProtocol() == INetProtocol::Macro)
|
||||||
|
+ {
|
||||||
|
+ uno::Reference<frame::XFramesSupplier> xParentFrame = xFrame->getCreator();
|
||||||
|
+ SfxObjectShell* pDoc = SfxMacroLoader::GetObjectShell(xParentFrame);
|
||||||
|
+ if (pDoc && !pDoc->AdjustMacroMode())
|
||||||
|
+ return false;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
DBG_ASSERT( !mxFrame.is(), "Frame already existing!" );
|
||||||
|
VclPtr<vcl::Window> pParent = VCLUnoHelper::GetWindow( xFrame->getContainerWindow() );
|
||||||
|
VclPtr<IFrameWindow_Impl> pWin = VclPtr<IFrameWindow_Impl>::Create( pParent, maFrmDescr.IsFrameBorderOn() );
|
||||||
|
@@ -179,16 +194,12 @@ sal_Bool SAL_CALL IFrameObject::load(
|
||||||
|
if ( xFramesSupplier.is() )
|
||||||
|
mxFrame->setCreator( xFramesSupplier );
|
||||||
|
|
||||||
|
- util::URL aTargetURL;
|
||||||
|
- aTargetURL.Complete = maFrmDescr.GetURL().GetMainURL( INetURLObject::DecodeMechanism::NONE );
|
||||||
|
- uno::Reference < util::XURLTransformer > xTrans( util::URLTransformer::create( mxContext ) );
|
||||||
|
- xTrans->parseStrict( aTargetURL );
|
||||||
|
-
|
||||||
|
uno::Sequence < beans::PropertyValue > aProps(2);
|
||||||
|
aProps[0].Name = "PluginMode";
|
||||||
|
aProps[0].Value <<= sal_Int16(2);
|
||||||
|
aProps[1].Name = "ReadOnly";
|
||||||
|
aProps[1].Value <<= true;
|
||||||
|
+
|
||||||
|
uno::Reference < frame::XDispatch > xDisp = mxFrame->queryDispatch( aTargetURL, "_self", 0 );
|
||||||
|
if ( xDisp.is() )
|
||||||
|
xDisp->dispatch( aTargetURL, aProps );
|
||||||
|
diff --git a/sfx2/source/inc/macroloader.hxx b/sfx2/source/inc/macroloader.hxx
|
||||||
|
index 051486c09adf..62a6555ff877 100644
|
||||||
|
--- a/sfx2/source/inc/macroloader.hxx
|
||||||
|
+++ b/sfx2/source/inc/macroloader.hxx
|
||||||
|
@@ -79,6 +79,8 @@ public:
|
||||||
|
virtual void SAL_CALL addStatusListener( const css::uno::Reference< css::frame::XStatusListener >& xControl, const css::util::URL& aURL ) override;
|
||||||
|
|
||||||
|
virtual void SAL_CALL removeStatusListener( const css::uno::Reference< css::frame::XStatusListener >& xControl, const css::util::URL& aURL ) override;
|
||||||
|
+
|
||||||
|
+ static SfxObjectShell* GetObjectShell(const css::uno::Reference<css::frame::XFrame>& xFrame);
|
||||||
|
};
|
||||||
|
|
||||||
|
#endif
|
||||||
|
diff --git a/sw/source/filter/html/htmlplug.cxx b/sw/source/filter/html/htmlplug.cxx
|
||||||
|
index 65e0419f4ed9..90036cfac67a 100644
|
||||||
|
--- a/sw/source/filter/html/htmlplug.cxx
|
||||||
|
+++ b/sw/source/filter/html/htmlplug.cxx
|
||||||
|
@@ -1090,7 +1090,12 @@ void SwHTMLParser::InsertFloatingFrame()
|
||||||
|
bool bHasBorder = aFrameDesc.HasFrameBorder();
|
||||||
|
Size aMargin = aFrameDesc.GetMargin();
|
||||||
|
|
||||||
|
- xSet->setPropertyValue("FrameURL", uno::makeAny( aFrameDesc.GetURL().GetMainURL( INetURLObject::DecodeMechanism::NONE ) ) );
|
||||||
|
+ OUString sHRef = aFrameDesc.GetURL().GetMainURL( INetURLObject::DecodeMechanism::NONE );
|
||||||
|
+
|
||||||
|
+ if (INetURLObject(sHRef).GetProtocol() == INetProtocol::Macro)
|
||||||
|
+ NotifyMacroEventRead();
|
||||||
|
+
|
||||||
|
+ xSet->setPropertyValue("FrameURL", uno::makeAny( sHRef ) );
|
||||||
|
xSet->setPropertyValue("FrameName", uno::makeAny( aName ) );
|
||||||
|
|
||||||
|
if ( eScroll == ScrollingMode::Auto )
|
||||||
|
diff --git a/sw/source/filter/xml/xmltexti.cxx b/sw/source/filter/xml/xmltexti.cxx
|
||||||
|
index cf0c7e6a85ba..eaf45dd91cd4 100644
|
||||||
|
--- a/sw/source/filter/xml/xmltexti.cxx
|
||||||
|
+++ b/sw/source/filter/xml/xmltexti.cxx
|
||||||
|
@@ -857,9 +857,14 @@ uno::Reference< XPropertySet > SwXMLTextImportHelper::createAndInsertFloatingFra
|
||||||
|
uno::Reference < beans::XPropertySet > xSet( xObj->getComponent(), uno::UNO_QUERY );
|
||||||
|
if ( xSet.is() )
|
||||||
|
{
|
||||||
|
+ OUString sHRef = URIHelper::SmartRel2Abs(
|
||||||
|
+ INetURLObject( GetXMLImport().GetBaseURL() ), rHRef );
|
||||||
|
+
|
||||||
|
+ if (INetURLObject(sHRef).GetProtocol() == INetProtocol::Macro)
|
||||||
|
+ GetXMLImport().NotifyMacroEventRead();
|
||||||
|
+
|
||||||
|
xSet->setPropertyValue("FrameURL",
|
||||||
|
- makeAny( URIHelper::SmartRel2Abs(
|
||||||
|
- INetURLObject( GetXMLImport().GetBaseURL() ), rHRef ) ) );
|
||||||
|
+ makeAny( rHRef ) );
|
||||||
|
|
||||||
|
xSet->setPropertyValue("FrameName",
|
||||||
|
makeAny( rName ) );
|
||||||
|
diff --git a/wizards/source/access2base/DoCmd.xba b/wizards/source/access2base/DoCmd.xba
|
||||||
|
index 089486a872fa..20051553c47f 100644
|
||||||
|
--- a/wizards/source/access2base/DoCmd.xba
|
||||||
|
+++ b/wizards/source/access2base/DoCmd.xba
|
||||||
|
@@ -2655,7 +2655,7 @@ Private Sub _ShellExecute(sCommand As String)
|
||||||
|
|
||||||
|
Dim oShell As Object
|
||||||
|
Set oShell = createUnoService("com.sun.star.system.SystemShellExecute")
|
||||||
|
- oShell.execute(sCommand, "" , com.sun.star.system.SystemShellExecuteFlags.DEFAULTS)
|
||||||
|
+ oShell.execute(sCommand, "" , com.sun.star.system.SystemShellExecuteFlags.URIS_ONLY)
|
||||||
|
|
||||||
|
End Sub ' _ShellExecute V0.8.5
|
||||||
|
|
||||||
|
diff --git a/wizards/source/scriptforge/SF_Session.xba b/wizards/source/scriptforge/SF_Session.xba
|
||||||
|
index a41bffa51377..7c709897947a 100644
|
||||||
|
--- a/wizards/source/scriptforge/SF_Session.xba
|
||||||
|
+++ b/wizards/source/scriptforge/SF_Session.xba
|
||||||
|
@@ -513,7 +513,7 @@ Check:
|
||||||
|
Try:
|
||||||
|
Set oShell = SF_Utils._GetUNOService("SystemShellExecute")
|
||||||
|
sCommand = SF_FileSystem._ConvertToUrl(Command)
|
||||||
|
- oShell.execute(sCommand, Parameters, com.sun.star.system.SystemShellExecuteFlags.DEFAULTS)
|
||||||
|
+ oShell.execute(sCommand, Parameters, com.sun.star.system.SystemShellExecuteFlags.URIS_ONLY)
|
||||||
|
bReturn = True
|
||||||
|
|
||||||
|
Finally:
|
||||||
|
diff --git a/xmloff/source/draw/ximpshap.cxx b/xmloff/source/draw/ximpshap.cxx
|
||||||
|
index 65a7e2fb0eef..4afa4e039776 100644
|
||||||
|
--- a/xmloff/source/draw/ximpshap.cxx
|
||||||
|
+++ b/xmloff/source/draw/ximpshap.cxx
|
||||||
|
@@ -87,6 +87,7 @@
|
||||||
|
#include <basegfx/polygon/b2dpolypolygon.hxx>
|
||||||
|
#include <basegfx/polygon/b2dpolypolygontools.hxx>
|
||||||
|
#include <basegfx/vector/b2dvector.hxx>
|
||||||
|
+#include <tools/urlobj.hxx>
|
||||||
|
#include <o3tl/any.hxx>
|
||||||
|
#include <o3tl/safeint.hxx>
|
||||||
|
|
||||||
|
@@ -3231,6 +3232,9 @@ void SdXMLFloatingFrameShapeContext::StartElement( const css::uno::Reference< cs
|
||||||
|
|
||||||
|
if( !maHref.isEmpty() )
|
||||||
|
{
|
||||||
|
+ if (INetURLObject(maHref).GetProtocol() == INetProtocol::Macro)
|
||||||
|
+ GetImport().NotifyMacroEventRead();
|
||||||
|
+
|
||||||
|
xProps->setPropertyValue("FrameURL", Any(maHref) );
|
||||||
|
}
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.37.3
|
||||||
|
|
@ -2278,6 +2278,7 @@ gtk-update-icon-cache -q %{_datadir}/icons/hicolor &>/dev/null || :
|
|||||||
- Resolves: rhbz#2134759 Untrusted Macros
|
- Resolves: rhbz#2134759 Untrusted Macros
|
||||||
- Resolves: rhbz#2134757 Weak Master Keys
|
- Resolves: rhbz#2134757 Weak Master Keys
|
||||||
- Resolves: rhbz#2134755 Static Initialization Vector
|
- Resolves: rhbz#2134755 Static Initialization Vector
|
||||||
|
- Resolves: rhbz#2134761 Macro URL arbitrary script execution
|
||||||
|
|
||||||
* Tue May 10 2022 Caolán McNamara <caolanm@redhat.com> - 1:7.1.8.1-7
|
* Tue May 10 2022 Caolán McNamara <caolanm@redhat.com> - 1:7.1.8.1-7
|
||||||
- Resolves: rhbz#2081661 fix gtk_tree_view_scroll_to_cell assert
|
- Resolves: rhbz#2081661 fix gtk_tree_view_scroll_to_cell assert
|
||||||
|
Loading…
Reference in New Issue
Block a user