libreoffice/SOURCES/0001-set-Referer-on-loading-IFrames.patch
eabdullin 50fd5124e0 - escape url passed to gstreamer
- add some protocols that don't make sense as floating frame
 targets
- warn about exotic protocols as well
- default to ignoring libreoffice special-purpose protocols
 in calc hyperlink
- reuse AllowedLinkProtocolFromDocument in writer
- reuse AllowedLinkProtocolFromDocument in impress/draw
- CVE-2023-6186 backporting
2024-03-29 14:27:04 +03:00

94 lines
3.8 KiB
Diff

From a7bc0ab5215734cb2bd4162cb5cdcc69fef23ef4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
Date: Tue, 11 Apr 2023 10:13:37 +0100
Subject: [PATCH 1/3] set Referer on loading IFrames
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
so tools, options, security, options,
"block any links from document not..."
applies to their contents.
Change-Id: I04839aea6b07a4a76ac147a85045939ccd9c3c79
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/150221
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/150751
Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
(cherry picked from commit acff9ca0579333b45d10ae5f8cd48172f563dddd)
(cherry picked from commit 04c8176fb40d2eb983aa0bd0a6ce65804d3f6ecd)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/152094
Tested-by: Caolán McNamara <caolan.mcnamara@collabora.com>
Reviewed-by: Caolán McNamara <caolan.mcnamara@collabora.com>
(cherry picked from commit 789155b523b384df020d86228ac200a63a68b154)
Conflicts:
sfx2/source/doc/iframe.cxx
---
sfx2/source/doc/iframe.cxx | 22 ++++++++++++++--------
1 file changed, 14 insertions(+), 8 deletions(-)
diff --git a/sfx2/source/doc/iframe.cxx b/sfx2/source/doc/iframe.cxx
index b5291b239164b..5a0ea96a234da 100644
--- a/sfx2/source/doc/iframe.cxx
+++ b/sfx2/source/doc/iframe.cxx
@@ -32,12 +32,14 @@
#include <com/sun/star/ui/dialogs/XExecutableDialog.hpp>
#include <com/sun/star/embed/XEmbeddedObject.hpp>
+#include <comphelper/propertyvalue.hxx>
#include <cppuhelper/implbase.hxx>
#include <cppuhelper/supportsservice.hxx>
#include <rtl/ref.hxx>
#include <svtools/miscopt.hxx>
#include <svl/ownlist.hxx>
#include <svl/itemprop.hxx>
+#include <sfx2/docfile.hxx>
#include <sfx2/frmdescr.hxx>
#include <sfx2/objsh.hxx>
#include <sfx2/sfxdlg.hxx>
@@ -166,14 +168,19 @@ sal_Bool SAL_CALL IFrameObject::load(
uno::Reference < util::XURLTransformer > xTrans( util::URLTransformer::create( mxContext ) );
xTrans->parseStrict( aTargetURL );
+ uno::Reference<frame::XFramesSupplier> xParentFrame = xFrame->getCreator();
+ SfxObjectShell* pDoc = SfxMacroLoader::GetObjectShell(xParentFrame);
+
if (INetURLObject(aTargetURL.Complete).GetProtocol() == INetProtocol::Macro)
{
- uno::Reference<frame::XFramesSupplier> xParentFrame = xFrame->getCreator();
- SfxObjectShell* pDoc = SfxMacroLoader::GetObjectShell(xParentFrame);
if (pDoc && !pDoc->AdjustMacroMode())
return false;
}
+ OUString sReferer;
+ if (pDoc && pDoc->HasName())
+ sReferer = pDoc->GetMedium()->GetName();
+
DBG_ASSERT( !mxFrame.is(), "Frame already existing!" );
VclPtr<vcl::Window> pParent = VCLUnoHelper::GetWindow( xFrame->getContainerWindow() );
VclPtr<IFrameWindow_Impl> pWin = VclPtr<IFrameWindow_Impl>::Create( pParent, maFrmDescr.IsFrameBorderOn() );
@@ -196,12 +203,11 @@ sal_Bool SAL_CALL IFrameObject::load(
if ( xFramesSupplier.is() )
mxFrame->setCreator( xFramesSupplier );
- uno::Sequence < beans::PropertyValue > aProps(2);
- aProps[0].Name = "PluginMode";
- aProps[0].Value <<= sal_Int16(2);
- aProps[1].Name = "ReadOnly";
- aProps[1].Value <<= true;
-
+ uno::Sequence < beans::PropertyValue > aProps{
+ comphelper::makePropertyValue("PluginMode", sal_Int16(2)),
+ comphelper::makePropertyValue("ReadOnly", true),
+ comphelper::makePropertyValue("Referer", sReferer)
+ };
uno::Reference < frame::XDispatch > xDisp = mxFrame->queryDispatch( aTargetURL, "_self", 0 );
if ( xDisp.is() )
xDisp->dispatch( aTargetURL, aProps );
--
2.41.0