From 86c29694ddf10b51ecd76b4f1397d798f62cc709 Mon Sep 17 00:00:00 2001 From: Stephan Bergmann Date: Tue, 30 Aug 2022 14:04:52 +0200 Subject: [PATCH 5/5] CVE-2022-3140 Filter out unwanted command URIs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-on: https://gerrit.libreoffice.org/c/core/+/139225 Tested-by: Jenkins Reviewed-by: Stephan Bergmann (cherry picked from commit 27d29f7df428885865a8e2313283839b20f2a34b) Conflicts: desktop/source/app/cmdlineargs.cxx Change-Id: I0b7e5329af8cc053d14d5c60ec14fe7f364ef993 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/139182 Tested-by: Jenkins Reviewed-by: Miklos Vajna (cherry picked from commit da291e2960b75153f41d440a1b41961567432e8c) These commands are always URLs already Change-Id: I5083765c879689d7f933bbe00ad70bb68e635a21 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/139042 Tested-by: Jean-Pierre Ledure Tested-by: Jenkins Reviewed-by: Stephan Bergmann (cherry picked from commit e61701e1ee6763de72b397e6ade1124eca9400f3) Reviewed-on: https://gerrit.libreoffice.org/c/core/+/138980 Reviewed-by: Caolán McNamara (cherry picked from commit 5b4025bb56999f5c895c6f7e0b52f521800d65b0) check IFrame "FrameURL" target similiar to commit b3edf85e0fe6ca03dc26e1bf531be82193bc9627 Date: Wed Aug 7 17:37:11 2019 +0100 warn on load when a document binds an event to a macro Change-Id: Iea888b1c083d2dc69ec322309ac9ae8c5e5eb315 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/139059 Tested-by: Jenkins Reviewed-by: Stephan Bergmann (cherry picked from commit c7450d0b9d02c64ae3da467d329040787039767e) Reviewed-on: https://gerrit.libreoffice.org/c/core/+/139117 Reviewed-by: Christian Lohmaier (cherry picked from commit f5e3b0a7966d7d28817292adbb58fb43f28b7c6d) check impress/calc IFrame "FrameURL" target similar to commit c7450d0b9d02c64ae3da467d329040787039767e Date: Tue Aug 30 17:01:08 2022 +0100 check IFrame "FrameURL" target Change-Id: Ibf28c29acb4476830431d02772f3ecd4b23a6a27 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/139495 Tested-by: Jenkins Reviewed-by: Stephan Bergmann (cherry picked from commit d0312786571221c2dd4f63fa69f6f0489d7d39ec) --- desktop/source/app/cmdlineargs.cxx | 10 +++++++++- sfx2/source/appl/macroloader.cxx | 9 +++++++-- sfx2/source/doc/iframe.cxx | 21 ++++++++++++++++----- sfx2/source/inc/macroloader.hxx | 2 ++ sw/source/filter/html/htmlplug.cxx | 7 ++++++- sw/source/filter/xml/xmltexti.cxx | 9 +++++++-- wizards/source/access2base/DoCmd.xba | 2 +- wizards/source/scriptforge/SF_Session.xba | 2 +- xmloff/source/draw/ximpshap.cxx | 4 ++++ 9 files changed, 53 insertions(+), 13 deletions(-) diff --git a/desktop/source/app/cmdlineargs.cxx b/desktop/source/app/cmdlineargs.cxx index 4d5a3bb78396..93d9e8742ba8 100644 --- a/desktop/source/app/cmdlineargs.cxx +++ b/desktop/source/app/cmdlineargs.cxx @@ -28,6 +28,7 @@ #include "cmdlineargs.hxx" #include #include +#include #include #include #include @@ -166,7 +167,14 @@ CommandLineEvent CheckOfficeURI(/* in,out */ OUString& arg, CommandLineEvent cur } if (nURIlen < 0) nURIlen = rest2.getLength(); - arg = rest2.copy(0, nURIlen); + auto const uri = rest2.copy(0, nURIlen); + if (INetURLObject(uri).GetProtocol() == INetProtocol::Macro) { + // Let the "Open" machinery process the full command URI (leading to failure, by intention, + // as the "Open" machinery does not know about those command URI schemes): + curEvt = CommandLineEvent::Open; + } else { + arg = uri; + } return curEvt; } diff --git a/sfx2/source/appl/macroloader.cxx b/sfx2/source/appl/macroloader.cxx index 46090f712665..ad70ef5fa0f6 100644 --- a/sfx2/source/appl/macroloader.cxx +++ b/sfx2/source/appl/macroloader.cxx @@ -68,10 +68,10 @@ css::uno::Sequence SAL_CALL SfxMacroLoader::getSupportedServiceNames() return { "com.sun.star.frame.ProtocolHandler" }; } -SfxObjectShell* SfxMacroLoader::GetObjectShell_Impl() +SfxObjectShell* SfxMacroLoader::GetObjectShell(const Reference & xFrame) { SfxObjectShell* pDocShell = nullptr; - Reference < XFrame > xFrame( m_xFrame.get(), UNO_QUERY ); + if ( xFrame.is() ) { SfxFrame* pFrame=nullptr; @@ -88,6 +88,11 @@ SfxObjectShell* SfxMacroLoader::GetObjectShell_Impl() return pDocShell; } +SfxObjectShell* SfxMacroLoader::GetObjectShell_Impl() +{ + Reference < XFrame > xFrame( m_xFrame.get(), UNO_QUERY ); + return SfxMacroLoader::GetObjectShell(xFrame); +} uno::Reference SAL_CALL SfxMacroLoader::queryDispatch( const util::URL& aURL , diff --git a/sfx2/source/doc/iframe.cxx b/sfx2/source/doc/iframe.cxx index e37607c91a46..3f9036a79b04 100644 --- a/sfx2/source/doc/iframe.cxx +++ b/sfx2/source/doc/iframe.cxx @@ -38,10 +38,12 @@ #include #include #include +#include #include #include #include #include +#include using namespace ::com::sun::star; @@ -157,6 +159,19 @@ sal_Bool SAL_CALL IFrameObject::load( { if ( officecfg::Office::Common::Misc::PluginsEnabled::get() ) { + util::URL aTargetURL; + aTargetURL.Complete = maFrmDescr.GetURL().GetMainURL( INetURLObject::DecodeMechanism::NONE ); + uno::Reference < util::XURLTransformer > xTrans( util::URLTransformer::create( mxContext ) ); + xTrans->parseStrict( aTargetURL ); + + if (INetURLObject(aTargetURL.Complete).GetProtocol() == INetProtocol::Macro) + { + uno::Reference xParentFrame = xFrame->getCreator(); + SfxObjectShell* pDoc = SfxMacroLoader::GetObjectShell(xParentFrame); + if (pDoc && !pDoc->AdjustMacroMode()) + return false; + } + DBG_ASSERT( !mxFrame.is(), "Frame already existing!" ); VclPtr pParent = VCLUnoHelper::GetWindow( xFrame->getContainerWindow() ); VclPtr pWin = VclPtr::Create( pParent, maFrmDescr.IsFrameBorderOn() ); @@ -179,16 +194,12 @@ sal_Bool SAL_CALL IFrameObject::load( if ( xFramesSupplier.is() ) mxFrame->setCreator( xFramesSupplier ); - util::URL aTargetURL; - aTargetURL.Complete = maFrmDescr.GetURL().GetMainURL( INetURLObject::DecodeMechanism::NONE ); - uno::Reference < util::XURLTransformer > xTrans( util::URLTransformer::create( mxContext ) ); - xTrans->parseStrict( aTargetURL ); - uno::Sequence < beans::PropertyValue > aProps(2); aProps[0].Name = "PluginMode"; aProps[0].Value <<= sal_Int16(2); aProps[1].Name = "ReadOnly"; aProps[1].Value <<= true; + uno::Reference < frame::XDispatch > xDisp = mxFrame->queryDispatch( aTargetURL, "_self", 0 ); if ( xDisp.is() ) xDisp->dispatch( aTargetURL, aProps ); diff --git a/sfx2/source/inc/macroloader.hxx b/sfx2/source/inc/macroloader.hxx index 051486c09adf..62a6555ff877 100644 --- a/sfx2/source/inc/macroloader.hxx +++ b/sfx2/source/inc/macroloader.hxx @@ -79,6 +79,8 @@ public: virtual void SAL_CALL addStatusListener( const css::uno::Reference< css::frame::XStatusListener >& xControl, const css::util::URL& aURL ) override; virtual void SAL_CALL removeStatusListener( const css::uno::Reference< css::frame::XStatusListener >& xControl, const css::util::URL& aURL ) override; + + static SfxObjectShell* GetObjectShell(const css::uno::Reference& xFrame); }; #endif diff --git a/sw/source/filter/html/htmlplug.cxx b/sw/source/filter/html/htmlplug.cxx index 65e0419f4ed9..90036cfac67a 100644 --- a/sw/source/filter/html/htmlplug.cxx +++ b/sw/source/filter/html/htmlplug.cxx @@ -1090,7 +1090,12 @@ void SwHTMLParser::InsertFloatingFrame() bool bHasBorder = aFrameDesc.HasFrameBorder(); Size aMargin = aFrameDesc.GetMargin(); - xSet->setPropertyValue("FrameURL", uno::makeAny( aFrameDesc.GetURL().GetMainURL( INetURLObject::DecodeMechanism::NONE ) ) ); + OUString sHRef = aFrameDesc.GetURL().GetMainURL( INetURLObject::DecodeMechanism::NONE ); + + if (INetURLObject(sHRef).GetProtocol() == INetProtocol::Macro) + NotifyMacroEventRead(); + + xSet->setPropertyValue("FrameURL", uno::makeAny( sHRef ) ); xSet->setPropertyValue("FrameName", uno::makeAny( aName ) ); if ( eScroll == ScrollingMode::Auto ) diff --git a/sw/source/filter/xml/xmltexti.cxx b/sw/source/filter/xml/xmltexti.cxx index cf0c7e6a85ba..eaf45dd91cd4 100644 --- a/sw/source/filter/xml/xmltexti.cxx +++ b/sw/source/filter/xml/xmltexti.cxx @@ -857,9 +857,14 @@ uno::Reference< XPropertySet > SwXMLTextImportHelper::createAndInsertFloatingFra uno::Reference < beans::XPropertySet > xSet( xObj->getComponent(), uno::UNO_QUERY ); if ( xSet.is() ) { + OUString sHRef = URIHelper::SmartRel2Abs( + INetURLObject( GetXMLImport().GetBaseURL() ), rHRef ); + + if (INetURLObject(sHRef).GetProtocol() == INetProtocol::Macro) + GetXMLImport().NotifyMacroEventRead(); + xSet->setPropertyValue("FrameURL", - makeAny( URIHelper::SmartRel2Abs( - INetURLObject( GetXMLImport().GetBaseURL() ), rHRef ) ) ); + makeAny( rHRef ) ); xSet->setPropertyValue("FrameName", makeAny( rName ) ); diff --git a/wizards/source/access2base/DoCmd.xba b/wizards/source/access2base/DoCmd.xba index 089486a872fa..20051553c47f 100644 --- a/wizards/source/access2base/DoCmd.xba +++ b/wizards/source/access2base/DoCmd.xba @@ -2655,7 +2655,7 @@ Private Sub _ShellExecute(sCommand As String) Dim oShell As Object Set oShell = createUnoService("com.sun.star.system.SystemShellExecute") - oShell.execute(sCommand, "" , com.sun.star.system.SystemShellExecuteFlags.DEFAULTS) + oShell.execute(sCommand, "" , com.sun.star.system.SystemShellExecuteFlags.URIS_ONLY) End Sub ' _ShellExecute V0.8.5 diff --git a/wizards/source/scriptforge/SF_Session.xba b/wizards/source/scriptforge/SF_Session.xba index a41bffa51377..7c709897947a 100644 --- a/wizards/source/scriptforge/SF_Session.xba +++ b/wizards/source/scriptforge/SF_Session.xba @@ -513,7 +513,7 @@ Check: Try: Set oShell = SF_Utils._GetUNOService("SystemShellExecute") sCommand = SF_FileSystem._ConvertToUrl(Command) - oShell.execute(sCommand, Parameters, com.sun.star.system.SystemShellExecuteFlags.DEFAULTS) + oShell.execute(sCommand, Parameters, com.sun.star.system.SystemShellExecuteFlags.URIS_ONLY) bReturn = True Finally: diff --git a/xmloff/source/draw/ximpshap.cxx b/xmloff/source/draw/ximpshap.cxx index 65a7e2fb0eef..4afa4e039776 100644 --- a/xmloff/source/draw/ximpshap.cxx +++ b/xmloff/source/draw/ximpshap.cxx @@ -87,6 +87,7 @@ #include #include #include +#include #include #include @@ -3231,6 +3232,9 @@ void SdXMLFloatingFrameShapeContext::StartElement( const css::uno::Reference< cs if( !maHref.isEmpty() ) { + if (INetURLObject(maHref).GetProtocol() == INetProtocol::Macro) + GetImport().NotifyMacroEventRead(); + xProps->setPropertyValue("FrameURL", Any(maHref) ); } } -- 2.37.3