From 143eedd298113bb20c2807baa49a4c83c2cef70b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
Date: Fri, 26 Jul 2019 13:25:31 +0100
Subject: [PATCH 1/3] decode url escape codes and check each path segment

Change-Id: Ie8f7cef912e8dacbc2a0bca73534a7a242a53ca1
Reviewed-on: https://gerrit.libreoffice.org/76378
Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
Tested-by: Jenkins
(cherry picked from commit 7942929685fafb0f9c82feb8da7279e5103c87f0)
Reviewed-on: https://gerrit.libreoffice.org/76451
Reviewed-by: Thorsten Behrens <Thorsten.Behrens@CIB.de>
Tested-by: Thorsten Behrens <Thorsten.Behrens@CIB.de>
---
 sfx2/source/doc/objmisc.cxx | 30 +++++++++++++++++++++++++++++-
 1 file changed, 29 insertions(+), 1 deletion(-)

diff --git a/sfx2/source/doc/objmisc.cxx b/sfx2/source/doc/objmisc.cxx
index 8594e9522e48..7e9288524b34 100644
--- a/sfx2/source/doc/objmisc.cxx
+++ b/sfx2/source/doc/objmisc.cxx
@@ -41,6 +41,8 @@
 #include <com/sun/star/script/provider/XScriptProvider.hpp>
 #include <com/sun/star/script/provider/XScriptProviderSupplier.hpp>
 #include <com/sun/star/ucb/SimpleFileAccess.hpp>
+#include <com/sun/star/uri/UriReferenceFactory.hpp>
+#include <com/sun/star/uri/XVndSunStarScriptUrlReference.hpp>
 #include <com/sun/star/util/XModifiable.hpp>
 
 #include <toolkit/helper/vclunohelper.hxx>
@@ -1351,7 +1353,33 @@ namespace {
 // don't allow LibreLogo to be used with our mouseover/etc dom-alike events
 bool UnTrustedScript(const OUString& rScriptURL)
 {
-    return rScriptURL.startsWithIgnoreAsciiCase("vnd.sun.star.script:LibreLogo");
+    if (!rScriptURL.startsWith("vnd.sun.star.script:"))
+        return false;
+
+    // ensure URL Escape Codes are decoded
+    css::uno::Reference<css::uri::XUriReference> uri(
+        css::uri::UriReferenceFactory::create(comphelper::getProcessComponentContext())->parse(rScriptURL));
+    css::uno::Reference<css::uri::XVndSunStarScriptUrl> sfUri(uri, css::uno::UNO_QUERY);
+
+    if (!sfUri.is())
+        return false;
+
+    // pyuno encodes path separator as |
+    OUString sScript = sfUri->getName().replace('|', '/');
+
+    // check if any path portion matches LibreLogo and ban it if it does
+    sal_Int32 nIndex = 0;
+    do
+    {
+        OUString aToken = sScript.getToken(0, '/', nIndex);
+        if (aToken.startsWithIgnoreAsciiCase("LibreLogo"))
+        {
+            return true;
+        }
+    }
+    while (nIndex >= 0);
+
+    return false;
 }
 
 }
-- 
2.21.0