Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP4:Update
libreoffice.31887
CVE-2023-6186-3.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2023-6186-3.patch of Package libreoffice.31887
From 672716d09c54cb6fdd59baa7da4b8393cf104cd2 Mon Sep 17 00:00:00 2001 From: Caolán McNamara <caolan.mcnamara@collabora.com> Date: Fri, 03 Nov 2023 17:26:25 +0000 Subject: [PATCH] default to ignoring libreoffice special-purpose protocols in calc hyperlink Change-Id: Ib9f62be3acc05f24ca234dec0fec21e24579e9de Reviewed-on: https://gerrit.libreoffice.org/c/core/+/158911 Tested-by: Jenkins Tested-by: Caolán McNamara <caolan.mcnamara@collabora.com> Reviewed-by: Caolán McNamara <caolan.mcnamara@collabora.com> (cherry picked from commit b6062623b4d69c79e90e9365ac7c5e7f11986793) Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159045 Reviewed-by: Eike Rathke <erack@redhat.com> --- diff --git a/dbaccess/source/core/dataaccess/ModelImpl.cxx b/dbaccess/source/core/dataaccess/ModelImpl.cxx index 3e21289..e399d5d 100644 --- a/dbaccess/source/core/dataaccess/ModelImpl.cxx +++ b/dbaccess/source/core/dataaccess/ModelImpl.cxx @@ -1125,7 +1125,8 @@ { Reference< XInteractionHandler > xInteraction; xInteraction = m_aMediaDescriptor.getOrDefault( "InteractionHandler", xInteraction ); - return m_aMacroMode.checkMacrosOnLoading( xInteraction ); + const bool bHasMacros = m_aMacroMode.hasMacros(); + return m_aMacroMode.checkMacrosOnLoading(xInteraction, false /*HasValidContentSignature*/, bHasMacros); } void ODatabaseModelImpl::resetMacroExecutionMode() diff --git a/include/sfx2/docmacromode.hxx b/include/sfx2/docmacromode.hxx index 2a0421a..9ba3201 100644 --- a/include/sfx2/docmacromode.hxx +++ b/include/sfx2/docmacromode.hxx @@ -266,6 +266,8 @@ */ static bool storageHasMacros( const css::uno::Reference< css::embed::XStorage >& _rxStorage ); + bool hasMacros() const; + static bool containerHasBasicMacros( const css::uno::Reference< css::script::XLibraryContainer >& xContainer ); /** checks the macro execution mode while loading the document. @@ -293,7 +295,7 @@ bool checkMacrosOnLoading( const css::uno::Reference< css::task::XInteractionHandler >& _rxInteraction, - bool bHasValidContentSignature = false + bool bHasValidContentSignature, bool bHasMacros ); private: diff --git a/include/sfx2/objsh.hxx b/include/sfx2/objsh.hxx index 9b7db53..bd3e25e 100644 --- a/include/sfx2/objsh.hxx +++ b/include/sfx2/objsh.hxx @@ -429,6 +429,9 @@ void SetMacroCallsSeenWhileLoading(); bool GetMacroCallsSeenWhileLoading() const; + // true if the document had macros (or similar) on load to trigger warning user + bool GetHadCheckedMacrosOnLoad() const; + const css::uno::Sequence< css::beans::PropertyValue >& GetModifyPasswordInfo() const; bool SetModifyPasswordInfo( const css::uno::Sequence< css::beans::PropertyValue >& aInfo ); diff --git a/sc/source/core/data/global.cxx b/sc/source/core/data/global.cxx index 027bc57..e949007 100644 --- a/sc/source/core/data/global.cxx +++ b/sc/source/core/data/global.cxx @@ -29,7 +29,9 @@ #include <sfx2/docfile.hxx> #include <sfx2/dispatch.hxx> #include <sfx2/objsh.hxx> +#include <sfx2/sfxresid.hxx> #include <sfx2/sfxsids.hrc> +#include <sfx2/strings.hrc> #include <sfx2/viewfrm.hxx> #include <sfx2/viewsh.hxx> #include <svl/intitem.hxx> @@ -822,7 +824,7 @@ OUString aUrlName( rURL ); SfxViewFrame* pFrame = nullptr; - const SfxObjectShell* pObjShell = nullptr; + SfxObjectShell* pObjShell = nullptr; OUString aReferName; if ( pScActiveViewShell ) { @@ -856,6 +858,35 @@ aUrlName = aNewUrlName; } + if (INetURLObject(aUrlName).IsExoticProtocol()) + { + // Default to ignoring exotic protocols + bool bAllow = false; + if (pObjShell) + { + // If the document had macros when loaded then follow the allowed macro-mode + if (pObjShell->GetHadCheckedMacrosOnLoad()) + bAllow = pObjShell->AdjustMacroMode(); + else // otherwise ask the user, defaulting to cancel + { + assert(pFrame && "if we have pObjShell we have pFrame"); + //Reuse URITools::onOpenURI warning string + std::unique_ptr<weld::MessageDialog> xQueryBox(Application::CreateMessageDialog(pFrame->GetFrameWeld(), + VclMessageType::Warning, VclButtonsType::YesNo, + SfxResId(STR_DANGEROUS_TO_OPEN))); + xQueryBox->set_primary_text(xQueryBox->get_primary_text().replaceFirst("$(ARG1)", + INetURLObject::decode(aUrlName, INetURLObject::DecodeMechanism::Unambiguous))); + xQueryBox->set_default_response(RET_NO); + bAllow = xQueryBox->run() == RET_YES; + } + } + if (!bAllow) + { + SAL_WARN("sc", "ScGlobal::OpenURL ignoring: " << aUrlName); + return; + } + } + SfxStringItem aUrl( SID_FILE_NAME, aUrlName ); SfxStringItem aTarget( SID_TARGETNAME, rTarget ); if ( nScClickMouseModifier & KEY_SHIFT ) // control-click -> into new window diff --git a/sfx2/source/doc/docmacromode.cxx b/sfx2/source/doc/docmacromode.cxx index 98d8e06..4133f9d 100644 --- a/sfx2/source/doc/docmacromode.cxx +++ b/sfx2/source/doc/docmacromode.cxx @@ -415,8 +415,12 @@ return bHasMacros; } + bool DocumentMacroMode::hasMacros() const + { + return m_xData->m_rDocumentAccess.documentStorageHasMacros() || hasMacroLibrary() || m_xData->m_rDocumentAccess.macroCallsSeenWhileLoading(); + } - bool DocumentMacroMode::checkMacrosOnLoading( const Reference< XInteractionHandler >& rxInteraction, bool bHasValidContentSignature ) + bool DocumentMacroMode::checkMacrosOnLoading( const Reference< XInteractionHandler >& rxInteraction, bool bHasValidContentSignature, bool bHasMacros ) { bool bAllow = false; if ( SvtSecurityOptions::IsMacroDisabled() ) @@ -426,7 +430,7 @@ } else { - if (m_xData->m_rDocumentAccess.documentStorageHasMacros() || hasMacroLibrary() || m_xData->m_rDocumentAccess.macroCallsSeenWhileLoading()) + if (bHasMacros) { bAllow = adjustMacroMode( rxInteraction, bHasValidContentSignature ); } diff --git a/sfx2/source/doc/objmisc.cxx b/sfx2/source/doc/objmisc.cxx index d0f4983..ee1f83b 100644 --- a/sfx2/source/doc/objmisc.cxx +++ b/sfx2/source/doc/objmisc.cxx @@ -957,9 +957,15 @@ // check macro security const bool bHasValidContentSignature = HasValidSignatures(); - pImpl->aMacroMode.checkMacrosOnLoading( xInteraction, bHasValidContentSignature ); + const bool bHasMacros = pImpl->aMacroMode.hasMacros(); + pImpl->aMacroMode.checkMacrosOnLoading( xInteraction, bHasValidContentSignature, bHasMacros ); + pImpl->m_bHadCheckedMacrosOnLoad = bHasMacros; } +bool SfxObjectShell::GetHadCheckedMacrosOnLoad() const +{ + return pImpl->m_bHadCheckedMacrosOnLoad; +} void SfxObjectShell::CheckEncryption_Impl( const uno::Reference< task::XInteractionHandler >& xHandler ) { diff --git a/sfx2/source/doc/objxtor.cxx b/sfx2/source/doc/objxtor.cxx index 397a937..0894e66 100644 --- a/sfx2/source/doc/objxtor.cxx +++ b/sfx2/source/doc/objxtor.cxx @@ -210,6 +210,7 @@ ,m_bAllowShareControlFileClean( true ) ,m_bConfigOptionsChecked( false ) ,m_bMacroCallsSeenWhileLoading( false ) + ,m_bHadCheckedMacrosOnLoad( false ) ,lErr(ERRCODE_NONE) ,nEventId ( SfxEventHintId::NONE ) ,nLoadedFlags ( SfxLoadedFlags::ALL ) diff --git a/sfx2/source/inc/objshimp.hxx b/sfx2/source/inc/objshimp.hxx index 1bece81..6f69122 100644 --- a/sfx2/source/inc/objshimp.hxx +++ b/sfx2/source/inc/objshimp.hxx @@ -91,7 +91,8 @@ m_bSharedXMLFlag:1, // whether the document should be edited in shared mode m_bAllowShareControlFileClean:1, // whether the flag should be stored in xml file m_bConfigOptionsChecked:1, // whether or not the user options are checked after the Options dialog is closed. - m_bMacroCallsSeenWhileLoading:1; // whether or not the user options are checked after the Options dialog is closed. + m_bMacroCallsSeenWhileLoading:1, // whether or not macro calls were seen when loading document. + m_bHadCheckedMacrosOnLoad:1; // if document contained macros (or calls) when loaded IndexBitSet aBitSet; ErrCode lErr;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
