libreoffice/SOURCES/0002-CVE-2023-6186-warn-about-exotic-protocols-as-well.patch
Eduard Abdullin b362cd0892 - escape url passed to gstreamer
- add some protocols that don't make sense as floating frame
 targets
- warn about exotic protocols as well
- default to ignoring libreoffice special-purpose protocols
 in calc hyperlink
- reuse AllowedLinkProtocolFromDocument in writer
- reuse AllowedLinkProtocolFromDocument in impress/draw
- CVE-2023-6186 backporting
2024-03-21 17:20:48 +03:00

101 lines
4.3 KiB
Diff

From 82752ccba78ecdbf94908377ec022f68ba7d9d59 Mon Sep 17 00:00:00 2001
Message-ID: <82752ccba78ecdbf94908377ec022f68ba7d9d59.1703086328.git.erack@redhat.com>
From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolan.mcnamara@collabora.com>
Date: Sat, 4 Nov 2023 19:57:51 +0000
Subject: [PATCH 1/4] warn about exotic protocols as well
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="------------erAck-patch-parts"
This is a multi-part message in MIME format.
--------------erAck-patch-parts
Content-Type: text/plain; charset=UTF-8; format=fixed
Content-Transfer-Encoding: 8bit
Change-Id: I50dcf4f36cd20d75f5ad3876353143268740a50f
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/151834
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolan.mcnamara@collabora.com>
(cherry picked from commit 1305f70cff8a81a58a5a6d9c96c5bb032005389e)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159034
Reviewed-by: Eike Rathke <erack@redhat.com>
Signed-off-by: Xisco Fauli <xiscofauli@libreoffice.org>
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159881
Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
Signed-off-by: Xisco Fauli <xiscofauli@libreoffice.org>
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159911
Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
erAck: backported to 7.1.8.1
---
sw/source/filter/html/htmlplug.cxx | 2 +-
sw/source/filter/xml/xmltexti.cxx | 2 +-
tools/source/fsys/urlobj.cxx | 3 ++-
xmloff/source/draw/ximpshap.cxx | 2 +-
4 files changed, 5 insertions(+), 4 deletions(-)
--------------erAck-patch-parts
Content-Type: text/x-patch; name="0001-warn-about-exotic-protocols-as-well.patch"
Content-Transfer-Encoding: 8bit
Content-Disposition: attachment; filename="0001-warn-about-exotic-protocols-as-well.patch"
diff --git a/sw/source/filter/html/htmlplug.cxx b/sw/source/filter/html/htmlplug.cxx
index 1aec184d8a6c..1c1f5f49f13e 100644
--- a/sw/source/filter/html/htmlplug.cxx
+++ b/sw/source/filter/html/htmlplug.cxx
@@ -1092,7 +1092,7 @@ void SwHTMLParser::InsertFloatingFrame()
OUString sHRef = aFrameDesc.GetURL().GetMainURL( INetURLObject::DecodeMechanism::NONE );
- if (INetURLObject(sHRef).GetProtocol() == INetProtocol::Macro)
+ if (INetURLObject(sHRef).IsExoticProtocol())
NotifyMacroEventRead();
xSet->setPropertyValue("FrameURL", uno::makeAny( sHRef ) );
diff --git a/sw/source/filter/xml/xmltexti.cxx b/sw/source/filter/xml/xmltexti.cxx
index 7ec4616f76dd..4bbed6bb8ff8 100644
--- a/sw/source/filter/xml/xmltexti.cxx
+++ b/sw/source/filter/xml/xmltexti.cxx
@@ -860,7 +860,7 @@ uno::Reference< XPropertySet > SwXMLTextImportHelper::createAndInsertFloatingFra
OUString sHRef = URIHelper::SmartRel2Abs(
INetURLObject( GetXMLImport().GetBaseURL() ), rHRef );
- if (INetURLObject(sHRef).GetProtocol() == INetProtocol::Macro)
+ if (INetURLObject(sHRef).IsExoticProtocol())
GetXMLImport().NotifyMacroEventRead();
xSet->setPropertyValue("FrameURL",
diff --git a/tools/source/fsys/urlobj.cxx b/tools/source/fsys/urlobj.cxx
index 2a9f7bc3d7dc..36a8af31a0fb 100644
--- a/tools/source/fsys/urlobj.cxx
+++ b/tools/source/fsys/urlobj.cxx
@@ -4767,7 +4767,8 @@ bool INetURLObject::IsExoticProtocol() const
return m_eScheme == INetProtocol::Slot ||
m_eScheme == INetProtocol::Macro ||
m_eScheme == INetProtocol::Uno ||
- isSchemeEqualTo(u"vnd.sun.star.script");
+ isSchemeEqualTo(u"vnd.sun.star.script") ||
+ isSchemeEqualTo(u"service");
}
/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/xmloff/source/draw/ximpshap.cxx b/xmloff/source/draw/ximpshap.cxx
index 113f3a3ffc2a..263b4b937608 100644
--- a/xmloff/source/draw/ximpshap.cxx
+++ b/xmloff/source/draw/ximpshap.cxx
@@ -3257,7 +3257,7 @@ void SdXMLFloatingFrameShapeContext::StartElement( const css::uno::Reference< cs
if( !maHref.isEmpty() )
{
- if (INetURLObject(maHref).GetProtocol() == INetProtocol::Macro)
+ if (INetURLObject(maHref).IsExoticProtocol())
GetImport().NotifyMacroEventRead();
xProps->setPropertyValue("FrameURL", Any(maHref) );
--------------erAck-patch-parts--