officecfg/registry/schema/org/openoffice/Office/Common.xcs | 16 +++++
sfx2/Library_sfx.mk | 3 +
sfx2/source/inc/eventsupplier.hxx | 4 +
sfx2/source/notify/eventsupplier.cxx | 35 +++++++++++++
4 files changed, 58 insertions(+)
New commits:
commit 871c03e5f5371ae2226ac23d2979e68bddd00842
Author: Samuel Mehrbrodt <samuel.mehrbr...@allotropia.de>
AuthorDate: Tue Mar 16 16:27:44 2021 +0100
Commit: Thorsten Behrens <thorsten.behr...@allotropia.de>
CommitDate: Tue Apr 27 14:09:46 2021 +0200
Add mechanism to selectively enable macros for document events
Change-Id: I56703b2c0ee009a645458c78c026c546b2e7e321
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/112584
Tested-by: Jenkins
Reviewed-by: Samuel Mehrbrodt <samuel.mehrbr...@allotropia.de>
(cherry picked from commit 0a893a15b02a3662e3c68776be09534c9f955e4f)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/113627
Tested-by: Samuel Mehrbrodt <samuel.mehrbr...@allotropia.de>
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/114707
Tested-by: Thorsten Behrens <thorsten.behr...@allotropia.de>
Reviewed-by: Thorsten Behrens <thorsten.behr...@allotropia.de>
diff --git a/officecfg/registry/schema/org/openoffice/Office/Common.xcs
b/officecfg/registry/schema/org/openoffice/Office/Common.xcs
index 2df062a36c62..f64fa6c17915 100644
--- a/officecfg/registry/schema/org/openoffice/Office/Common.xcs
+++ b/officecfg/registry/schema/org/openoffice/Office/Common.xcs
@@ -2670,6 +2670,22 @@
</info>
<value>true</value>
</prop>
+ <prop oor:name="AllowedDocumentEventURLs" oor:type="oor:string-list">
+ <info>
+ <desc>List of script URLS which are allowed to be called by
document events.
+ Look into content.xml of the odf file to find the URL.
+ You can either write the full URL, a part of it (starting from the
beginning),
+ or use regular expressions.
+ Examples:
+ *
vnd.sun.star.script:Standard.Module1.Main?language=Basic&location=user
+ * vnd.sun.star.script:Standard.Module1
+ * vnd.sun.star.script:YourScript.*location=share
+ * .*location=application.*
+
+ When this list is empty, all document event URLs are allowed.
+ </desc>
+ </info>
+ </prop>
<set oor:name="TrustedAuthors" oor:node-type="TrustedAuthor">
<info>
<desc>List with trusted authors.</desc>
diff --git a/sfx2/Library_sfx.mk b/sfx2/Library_sfx.mk
index 3920cc121d4a..8dbefd18c724 100644
--- a/sfx2/Library_sfx.mk
+++ b/sfx2/Library_sfx.mk
@@ -69,6 +69,9 @@ $(eval $(call gb_Library_use_libraries,sfx,\
$(eval $(call gb_Library_use_externals,sfx,\
boost_headers \
+ icu_headers \
+ icui18n \
+ icuuc \
libxml2 \
orcus \
orcus-parser\
diff --git a/sfx2/source/inc/eventsupplier.hxx
b/sfx2/source/inc/eventsupplier.hxx
index 3fdd009bcabd..5451f8e83e93 100644
--- a/sfx2/source/inc/eventsupplier.hxx
+++ b/sfx2/source/inc/eventsupplier.hxx
@@ -87,6 +87,10 @@ public:
::comphelper::NamedValueCollection&
o_normalizedDescriptor,
SfxObjectShell* i_document );
static void Execute( css::uno::Any const & aEventData, const
css::document::DocumentEvent& aTrigger, SfxObjectShell* pDoc );
+
+private:
+ /// Check if script URL whitelist exists, and if so, if current script url
is part of it
+ static bool isScriptURLAllowed(const OUString& aScriptURL);
};
#endif
diff --git a/sfx2/source/notify/eventsupplier.cxx
b/sfx2/source/notify/eventsupplier.cxx
index 3861149da731..06f4dc15d6d4 100644
--- a/sfx2/source/notify/eventsupplier.cxx
+++ b/sfx2/source/notify/eventsupplier.cxx
@@ -23,6 +23,7 @@
#include <com/sun/star/document/XScriptInvocationContext.hpp>
#include <com/sun/star/util/URL.hpp>
#include <com/sun/star/frame/Desktop.hpp>
+#include <com/sun/star/uno/Sequence.hxx>
#include <com/sun/star/util/URLTransformer.hpp>
#include <com/sun/star/util/XURLTransformer.hpp>
#include <com/sun/star/uno/XInterface.hpp>
@@ -37,6 +38,8 @@
#include <unotools/securityoptions.hxx>
#include <comphelper/processfactory.hxx>
#include <comphelper/namedvaluecollection.hxx>
+#include <comphelper/sequence.hxx>
+#include <officecfg/Office/Common.hxx>
#include <eventsupplier.hxx>
#include <sfx2/app.hxx>
@@ -47,6 +50,10 @@
#include <sfx2/frame.hxx>
#include <macroloader.hxx>
+#include <unicode/errorcode.h>
+#include <unicode/regex.h>
+#include <unicode/unistr.h>
+
using namespace css;
using namespace ::com::sun::star;
@@ -194,6 +201,31 @@ namespace
}
}
+bool SfxEvents_Impl::isScriptURLAllowed(const OUString& aScriptURL)
+{
+ boost::optional<css::uno::Sequence<OUString>> allowedEvents(
+
officecfg::Office::Common::Security::Scripting::AllowedDocumentEventURLs::get());
+ // When AllowedDocumentEventURLs is empty, all event URLs are allowed
+ if (!allowedEvents)
+ return true;
+
+ icu::ErrorCode status;
+ const uint32_t rMatcherFlags = UREGEX_CASE_INSENSITIVE;
+ icu::UnicodeString usInput(aScriptURL.getStr());
+ const css::uno::Sequence<OUString>& rAllowedEvents = *allowedEvents;
+ for (auto const& allowedEvent : rAllowedEvents)
+ {
+ icu::UnicodeString usRegex(allowedEvent.getStr());
+ icu::RegexMatcher rmatch1(usRegex, usInput, rMatcherFlags, status);
+ if (aScriptURL.startsWith(allowedEvent) || rmatch1.matches(status))
+ {
+ return true;
+ }
+ }
+
+ return false;
+}
+
void SfxEvents_Impl::Execute( uno::Any const & aEventData, const
document::DocumentEvent& aTrigger, SfxObjectShell* pDoc )
{
uno::Sequence < beans::PropertyValue > aProperties;
@@ -236,6 +268,9 @@ void SfxEvents_Impl::Execute( uno::Any const & aEventData,
const document::Docum
if (aScript.isEmpty())
return;
+ if (!isScriptURLAllowed(aScript))
+ return;
+
if (!pDoc)
pDoc = SfxObjectShell::Current();
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
