eabdullin
50fd5124e0
- add some protocols that don't make sense as floating frame targets - warn about exotic protocols as well - default to ignoring libreoffice special-purpose protocols in calc hyperlink - reuse AllowedLinkProtocolFromDocument in writer - reuse AllowedLinkProtocolFromDocument in impress/draw - CVE-2023-6186 backporting
94 lines
3.8 KiB
Diff
94 lines
3.8 KiB
Diff
From a7bc0ab5215734cb2bd4162cb5cdcc69fef23ef4 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
|
|
Date: Tue, 11 Apr 2023 10:13:37 +0100
|
|
Subject: [PATCH 1/3] set Referer on loading IFrames
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
so tools, options, security, options,
|
|
"block any links from document not..."
|
|
applies to their contents.
|
|
|
|
Change-Id: I04839aea6b07a4a76ac147a85045939ccd9c3c79
|
|
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/150221
|
|
Tested-by: Jenkins
|
|
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
|
|
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/150751
|
|
Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
|
|
(cherry picked from commit acff9ca0579333b45d10ae5f8cd48172f563dddd)
|
|
(cherry picked from commit 04c8176fb40d2eb983aa0bd0a6ce65804d3f6ecd)
|
|
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/152094
|
|
Tested-by: Caolán McNamara <caolan.mcnamara@collabora.com>
|
|
Reviewed-by: Caolán McNamara <caolan.mcnamara@collabora.com>
|
|
|
|
(cherry picked from commit 789155b523b384df020d86228ac200a63a68b154)
|
|
Conflicts:
|
|
sfx2/source/doc/iframe.cxx
|
|
---
|
|
sfx2/source/doc/iframe.cxx | 22 ++++++++++++++--------
|
|
1 file changed, 14 insertions(+), 8 deletions(-)
|
|
|
|
diff --git a/sfx2/source/doc/iframe.cxx b/sfx2/source/doc/iframe.cxx
|
|
index b5291b239164b..5a0ea96a234da 100644
|
|
--- a/sfx2/source/doc/iframe.cxx
|
|
+++ b/sfx2/source/doc/iframe.cxx
|
|
@@ -32,12 +32,14 @@
|
|
#include <com/sun/star/ui/dialogs/XExecutableDialog.hpp>
|
|
#include <com/sun/star/embed/XEmbeddedObject.hpp>
|
|
|
|
+#include <comphelper/propertyvalue.hxx>
|
|
#include <cppuhelper/implbase.hxx>
|
|
#include <cppuhelper/supportsservice.hxx>
|
|
#include <rtl/ref.hxx>
|
|
#include <svtools/miscopt.hxx>
|
|
#include <svl/ownlist.hxx>
|
|
#include <svl/itemprop.hxx>
|
|
+#include <sfx2/docfile.hxx>
|
|
#include <sfx2/frmdescr.hxx>
|
|
#include <sfx2/objsh.hxx>
|
|
#include <sfx2/sfxdlg.hxx>
|
|
@@ -166,14 +168,19 @@ sal_Bool SAL_CALL IFrameObject::load(
|
|
uno::Reference < util::XURLTransformer > xTrans( util::URLTransformer::create( mxContext ) );
|
|
xTrans->parseStrict( aTargetURL );
|
|
|
|
+ uno::Reference<frame::XFramesSupplier> xParentFrame = xFrame->getCreator();
|
|
+ SfxObjectShell* pDoc = SfxMacroLoader::GetObjectShell(xParentFrame);
|
|
+
|
|
if (INetURLObject(aTargetURL.Complete).GetProtocol() == INetProtocol::Macro)
|
|
{
|
|
- uno::Reference<frame::XFramesSupplier> xParentFrame = xFrame->getCreator();
|
|
- SfxObjectShell* pDoc = SfxMacroLoader::GetObjectShell(xParentFrame);
|
|
if (pDoc && !pDoc->AdjustMacroMode())
|
|
return false;
|
|
}
|
|
|
|
+ OUString sReferer;
|
|
+ if (pDoc && pDoc->HasName())
|
|
+ sReferer = pDoc->GetMedium()->GetName();
|
|
+
|
|
DBG_ASSERT( !mxFrame.is(), "Frame already existing!" );
|
|
VclPtr<vcl::Window> pParent = VCLUnoHelper::GetWindow( xFrame->getContainerWindow() );
|
|
VclPtr<IFrameWindow_Impl> pWin = VclPtr<IFrameWindow_Impl>::Create( pParent, maFrmDescr.IsFrameBorderOn() );
|
|
@@ -196,12 +203,11 @@ sal_Bool SAL_CALL IFrameObject::load(
|
|
if ( xFramesSupplier.is() )
|
|
mxFrame->setCreator( xFramesSupplier );
|
|
|
|
- uno::Sequence < beans::PropertyValue > aProps(2);
|
|
- aProps[0].Name = "PluginMode";
|
|
- aProps[0].Value <<= sal_Int16(2);
|
|
- aProps[1].Name = "ReadOnly";
|
|
- aProps[1].Value <<= true;
|
|
-
|
|
+ uno::Sequence < beans::PropertyValue > aProps{
|
|
+ comphelper::makePropertyValue("PluginMode", sal_Int16(2)),
|
|
+ comphelper::makePropertyValue("ReadOnly", true),
|
|
+ comphelper::makePropertyValue("Referer", sReferer)
|
|
+ };
|
|
uno::Reference < frame::XDispatch > xDisp = mxFrame->queryDispatch( aTargetURL, "_self", 0 );
|
|
if ( xDisp.is() )
|
|
xDisp->dispatch( aTargetURL, aProps );
|
|
--
|
|
2.41.0
|
|
|