avmedia/source/viewer/mediawindow_impl.cxx | 11 +- editeng/source/items/frmitems.cxx | 9 +- embeddedobj/source/commonembedding/persistence.cxx | 10 ++ forms/source/component/ImageControl.cxx | 6 + forms/source/component/clickableimage.cxx | 2 sal/osl/unx/thread.cxx | 2 sal/rtl/hash.cxx | 2 sfx2/source/appl/linkmgr2.cxx | 15 +++ sfx2/source/doc/docmacromode.cxx | 12 ++ sfx2/source/doc/objserv.cxx | 7 + sw/source/filter/html/htmlgrin.cxx | 17 +++ toolkit/source/controls/unocontrols.cxx | 3 tools/qa/cppunit/test_urlobj.cxx | 44 ++++++++++ tools/source/fsys/urlobj.cxx | 31 +++++-- unotools/source/misc/mediadescriptor.cxx | 3 vcl/source/filter/graphicfilter.cxx | 8 + vcl/source/gdi/embeddedfontshelper.cxx | 17 ++- xmlsecurity/CppunitTest_xmlsecurity_signing.mk | 1 xmlsecurity/qa/unit/signing/data/signature-forgery-cdh-lfh.docx |binary xmlsecurity/qa/unit/signing/signing.cxx | 44 ++++++++++ 20 files changed, 222 insertions(+), 22 deletions(-)
New commits: commit c8695ec8fc00b7c58e20bc2560079b1e819b5d57 Author: Stephan Bergmann <[email protected]> AuthorDate: Sun Dec 24 13:12:52 2023 +0100 Commit: Thorsten Behrens <[email protected]> CommitDate: Mon Jan 13 01:53:14 2025 +0100 -Werror=calloc-transposed-args Change-Id: I7b8b020bdbcd5b4db4cb478cc5fe1225f19ae0cf Reviewed-on: https://gerrit.libreoffice.org/c/core/+/161268 Tested-by: Jenkins Reviewed-by: Stephan Bergmann <[email protected]> (cherry picked from commit 4663c56edf788a37545f253e028db99e480feb34) Reviewed-on: https://gerrit.libreoffice.org/c/core/+/172463 Reviewed-by: Michael Stahl <[email protected]> (cherry picked from commit dc59440aa41835f03268c41fd95c87c887697681) diff --git a/sal/osl/unx/thread.cxx b/sal/osl/unx/thread.cxx index 2fb488a48b57..2a7860d6096e 100644 --- a/sal/osl/unx/thread.cxx +++ b/sal/osl/unx/thread.cxx @@ -610,7 +610,7 @@ static sal_uInt16 insertThreadId (pthread_t hThread) if (pEntry == nullptr) { - pEntry = static_cast<HashEntry*>(calloc(sizeof(HashEntry), 1)); + pEntry = static_cast<HashEntry*>(calloc(1, sizeof(HashEntry))); pEntry->Handle = hThread; diff --git a/sal/rtl/hash.cxx b/sal/rtl/hash.cxx index 110283c3472b..d2f4e51784d4 100644 --- a/sal/rtl/hash.cxx +++ b/sal/rtl/hash.cxx @@ -80,7 +80,7 @@ rtl_str_hash_new (sal_uInt32 nSize) pHash->nEntries = 0; pHash->nSize = getNextSize (nSize); - pHash->pData = static_cast<rtl_uString **>(calloc (sizeof (rtl_uString *), pHash->nSize)); + pHash->pData = static_cast< rtl_uString ** >(calloc(pHash->nSize, sizeof(rtl_uString *))); return pHash; } commit 9f2d9185edcef1bce8d5d37ff06a6d4c4e87b99b Author: Stephan Bergmann <[email protected]> AuthorDate: Sat Dec 7 17:36:22 2024 +0100 Commit: Thorsten Behrens <[email protected]> CommitDate: Mon Jan 13 01:42:58 2025 +0100 Fix check for further exotic protocols ...that were added in 59891cd3985469bc44dbd05c9fc704eeb07f0c78 "look at 'embedded' protocols for protocols that support them" Change-Id: I42836d6fd27cd99e39ab07e626053f002a2651f5 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/178047 Tested-by: Jenkins Reviewed-by: Stephan Bergmann <[email protected]> (cherry picked from commit 8075798b22f2188530f57b8747589923bfd419ef) diff --git a/tools/qa/cppunit/test_urlobj.cxx b/tools/qa/cppunit/test_urlobj.cxx index 68ff8197076f..90fe6412547e 100644 --- a/tools/qa/cppunit/test_urlobj.cxx +++ b/tools/qa/cppunit/test_urlobj.cxx @@ -368,6 +368,49 @@ namespace tools_urlobj obj.GetMainURL(INetURLObject::DecodeMechanism::NONE)); } + void testIsExoticProtocol() { + { + INetURLObject url(u"vnd.sun.star.pkg://slot%3A0"); + CPPUNIT_ASSERT_EQUAL(INetProtocol::VndSunStarPkg, url.GetProtocol()); + CPPUNIT_ASSERT(url.IsExoticProtocol()); + } + { + INetURLObject url(u"vnd.sun.star.pkg://vnd.sun.star.pkg%3A%2F%2Fslot%253A0"); + CPPUNIT_ASSERT_EQUAL(INetProtocol::VndSunStarPkg, url.GetProtocol()); + CPPUNIT_ASSERT(url.IsExoticProtocol()); + } + { + INetURLObject url(u"vnd.sun.star.pkg://http%3A%2F%2Fexample.net"); + CPPUNIT_ASSERT_EQUAL(INetProtocol::VndSunStarPkg, url.GetProtocol()); + CPPUNIT_ASSERT(!url.IsExoticProtocol()); + } + { + INetURLObject url(u"vnd.sun.star.zip://slot%3A0"); + CPPUNIT_ASSERT_EQUAL(INetProtocol::Generic, url.GetProtocol()); + CPPUNIT_ASSERT(url.IsExoticProtocol()); + } + { + INetURLObject url(u"vnd.sun.star.zip://slot%3A0/foo"); + CPPUNIT_ASSERT_EQUAL(INetProtocol::Generic, url.GetProtocol()); + CPPUNIT_ASSERT(url.IsExoticProtocol()); + } + { + INetURLObject url(u"vnd.sun.star.zip://slot%3A0?foo"); + CPPUNIT_ASSERT_EQUAL(INetProtocol::Generic, url.GetProtocol()); + CPPUNIT_ASSERT(url.IsExoticProtocol()); + } + { + INetURLObject url(u"vnd.sun.star.zip://slot%3A0#foo"); + CPPUNIT_ASSERT_EQUAL(INetProtocol::Generic, url.GetProtocol()); + CPPUNIT_ASSERT(url.IsExoticProtocol()); + } + { + INetURLObject url(u"vnd.sun.star.zip://http%3A%2F%2Fexample.net"); + CPPUNIT_ASSERT_EQUAL(INetProtocol::Generic, url.GetProtocol()); + CPPUNIT_ASSERT(!url.IsExoticProtocol()); + } + } + // Change the following lines only, if you add, remove or rename // member functions of the current class, // because these macros are need by auto register mechanism. @@ -385,6 +428,7 @@ namespace tools_urlobj CPPUNIT_TEST( urlobjTest_isSchemeEqualTo ); CPPUNIT_TEST( urlobjTest_isAnyKnownWebDAVScheme ); CPPUNIT_TEST( testSetExtension ); + CPPUNIT_TEST( testIsExoticProtocol ); CPPUNIT_TEST_SUITE_END( ); }; // class createPool diff --git a/tools/source/fsys/urlobj.cxx b/tools/source/fsys/urlobj.cxx index 84a6a69ca3b5..223452d2ec38 100644 --- a/tools/source/fsys/urlobj.cxx +++ b/tools/source/fsys/urlobj.cxx @@ -4975,10 +4975,21 @@ bool INetURLObject::IsExoticProtocol() const { return true; } - if (isSchemeEqualTo(u"vnd.sun.star.pkg") || isSchemeEqualTo(u"vnd.sun.star.zip")) + if (m_eScheme == INetProtocol::VndSunStarPkg) { + return INetURLObject(GetHost(INetURLObject::DecodeMechanism::WithCharset)) + .IsExoticProtocol(); + } + if (isSchemeEqualTo(u"vnd.sun.star.zip")) { - OUString sPayloadURL = GetURLPath(INetURLObject::DecodeMechanism::WithCharset); - return sPayloadURL.startsWith(u"//") && INetURLObject(sPayloadURL.subView(2)).IsExoticProtocol(); + OUString sPayloadURL = GetURLPath(INetURLObject::DecodeMechanism::NONE); + if (!sPayloadURL.startsWith(u"//")) { + return false; + } + auto const find = [&sPayloadURL](auto c) { + auto const n = sPayloadURL.indexOf(c, 2); + return n == -1 ? sPayloadURL.getLength() : n; + }; + return INetURLObject(decode(sPayloadURL.copy(2, std::min(find('/'), find('?')) - 2), INetURLObject::DecodeMechanism::WithCharset)).IsExoticProtocol(); } return false; } commit ffd386dea906067bf123a6414e13474801525383 Author: Caolán McNamara <[email protected]> AuthorDate: Fri Dec 6 14:41:19 2024 +0000 Commit: Thorsten Behrens <[email protected]> CommitDate: Mon Jan 13 01:42:58 2025 +0100 look at 'embedded' protocols too Change-Id: Ie99f5f5a390639bdc69397c831e0a32594a5030c Reviewed-on: https://gerrit.libreoffice.org/c/core/+/177981 Tested-by: Jenkins Reviewed-by: Caolán McNamara <[email protected]> (cherry picked from commit 59891cd3985469bc44dbd05c9fc704eeb07f0c78) Reviewed-on: https://gerrit.libreoffice.org/c/core/+/177987 Reviewed-by: Stephan Bergmann <[email protected]> (cherry picked from commit b63aa51c55244ee67410201fa5e7c003427b1009) diff --git a/tools/source/fsys/urlobj.cxx b/tools/source/fsys/urlobj.cxx index 290d127ab458..84a6a69ca3b5 100644 --- a/tools/source/fsys/urlobj.cxx +++ b/tools/source/fsys/urlobj.cxx @@ -4966,12 +4966,21 @@ OUString INetURLObject::CutExtension() bool INetURLObject::IsExoticProtocol() const { - return m_eScheme == INetProtocol::Slot || - m_eScheme == INetProtocol::Macro || - m_eScheme == INetProtocol::Uno || - m_eScheme == INetProtocol::VndSunStarExpand || - isSchemeEqualTo(u"vnd.sun.star.script") || - isSchemeEqualTo(u"service"); + if (m_eScheme == INetProtocol::Slot || + m_eScheme == INetProtocol::Macro || + m_eScheme == INetProtocol::Uno || + m_eScheme == INetProtocol::VndSunStarExpand || + isSchemeEqualTo(u"vnd.sun.star.script") || + isSchemeEqualTo(u"service")) + { + return true; + } + if (isSchemeEqualTo(u"vnd.sun.star.pkg") || isSchemeEqualTo(u"vnd.sun.star.zip")) + { + OUString sPayloadURL = GetURLPath(INetURLObject::DecodeMechanism::WithCharset); + return sPayloadURL.startsWith(u"//") && INetURLObject(sPayloadURL.subView(2)).IsExoticProtocol(); + } + return false; } /* vim:set shiftwidth=4 softtabstop=4 expandtab: */ commit 168dff150bfc63fa4066344eda1674c61bb2d9b9 Author: Caolán McNamara <[email protected]> AuthorDate: Fri Nov 15 12:30:39 2024 +0000 Commit: Thorsten Behrens <[email protected]> CommitDate: Mon Jan 13 01:42:55 2025 +0100 consider VndSunStarExpand an exotic protocol and generally don't bother with it when fetching data from urls Change-Id: I51a2601c6fb7d6c32f9e2d1286ee0d3b05b370b9 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/176797 Tested-by: Jenkins Reviewed-by: Michael Stahl <[email protected]> (cherry picked from commit d6c89af2598e866aa9cb4fa3600691fb558befdb) diff --git a/avmedia/source/viewer/mediawindow_impl.cxx b/avmedia/source/viewer/mediawindow_impl.cxx index 0844845a1bac..73a46a31ef5c 100644 --- a/avmedia/source/viewer/mediawindow_impl.cxx +++ b/avmedia/source/viewer/mediawindow_impl.cxx @@ -186,17 +186,20 @@ void MediaWindowImpl::dispose() uno::Reference<media::XPlayer> MediaWindowImpl::createPlayer(const OUString& rURL, const OUString& rReferer, const OUString* pMimeType) { - uno::Reference<media::XPlayer> xPlayer; - if( rURL.isEmpty() ) - return xPlayer; + return nullptr; if (SvtSecurityOptions().isUntrustedReferer(rReferer)) { - return xPlayer; + return nullptr; } uno::Reference<uno::XComponentContext> xContext(::comphelper::getProcessComponentContext()); + if (INetURLObject(rURL).IsExoticProtocol()) + return nullptr; + + uno::Reference<media::XPlayer> xPlayer; + if (!pMimeType || *pMimeType == AVMEDIA_MIMETYPE_COMMON) { diff --git a/editeng/source/items/frmitems.cxx b/editeng/source/items/frmitems.cxx index 18a8cd955c78..9e92c9ffe857 100644 --- a/editeng/source/items/frmitems.cxx +++ b/editeng/source/items/frmitems.cxx @@ -3805,6 +3805,13 @@ const GraphicObject* SvxBrushItem::GetGraphicObject(OUString const & referer) co return nullptr; } + INetURLObject aGraphicURL( maStrLink ); + if (aGraphicURL.IsExoticProtocol()) + { + SAL_WARN("editeng", "Ignore exotic protocol: " << maStrLink); + return nullptr; + } + // tdf#94088 prepare graphic and state Graphic aGraphic; bool bGraphicLoaded = false; @@ -3825,8 +3832,6 @@ const GraphicObject* SvxBrushItem::GetGraphicObject(OUString const & referer) co // a 'data:' scheme url and try to load that (embedded graphics) if(!bGraphicLoaded) { - INetURLObject aGraphicURL( maStrLink ); - if( INetProtocol::Data == aGraphicURL.GetProtocol() ) { std::unique_ptr<SvMemoryStream> const xMemStream(aGraphicURL.getData()); diff --git a/embeddedobj/source/commonembedding/persistence.cxx b/embeddedobj/source/commonembedding/persistence.cxx index fc93ae18db25..7a2b4518c281 100644 --- a/embeddedobj/source/commonembedding/persistence.cxx +++ b/embeddedobj/source/commonembedding/persistence.cxx @@ -55,6 +55,9 @@ #include <comphelper/storagehelper.hxx> #include <comphelper/mimeconfighelper.hxx> #include <comphelper/namedvaluecollection.hxx> +#include <unotools/configmgr.hxx> +#include <tools/urlobj.hxx> +#include <unotools/securityoptions.hxx> #include <tools/diagnose_ex.h> #include "persistence.hxx" @@ -375,6 +378,13 @@ uno::Reference< util::XCloseable > OCommonEmbeddedObject::LoadLink_Impl() sal_Int32 nLen = 2; uno::Sequence< beans::PropertyValue > aArgs( nLen ); + + if (INetURLObject(m_aLinkURL).IsExoticProtocol()) + { + SAL_WARN("embeddedobj.common", "Ignore exotic protocol: " << m_aLinkURL); + return nullptr; + } + aArgs[0].Name = "URL"; aArgs[0].Value <<= m_aLinkURL; aArgs[1].Name = "FilterName"; diff --git a/forms/source/component/ImageControl.cxx b/forms/source/component/ImageControl.cxx index fe677cd82845..f0af0d8ae3c5 100644 --- a/forms/source/component/ImageControl.cxx +++ b/forms/source/component/ImageControl.cxx @@ -398,6 +398,12 @@ void OImageControlModel::read(const Reference<XObjectInputStream>& _rxInStream) bool OImageControlModel::impl_updateStreamForURL_lck( const OUString& _rURL, ValueChangeInstigator _eInstigator ) { + OUString referer; + getPropertyValue("Referer") >>= referer; + if (SvtSecurityOptions().isUntrustedReferer(referer) || INetURLObject(_rURL).IsExoticProtocol()) { + return false; + } + // create a stream for the image specified by the URL std::unique_ptr< SvStream > pImageStream; Reference< XInputStream > xImageStream; diff --git a/forms/source/component/clickableimage.cxx b/forms/source/component/clickableimage.cxx index 34532966f624..89c0b199a0b1 100644 --- a/forms/source/component/clickableimage.cxx +++ b/forms/source/component/clickableimage.cxx @@ -709,7 +709,7 @@ namespace frm // the SfxMedium is not allowed to be created with an invalid URL, so we have to check this first INetURLObject aUrl(rURL); - if (INetProtocol::NotValid == aUrl.GetProtocol()) + if (INetProtocol::NotValid == aUrl.GetProtocol() || aUrl.IsExoticProtocol()) // we treat an invalid URL like we would treat no URL return; diff --git a/sfx2/source/appl/linkmgr2.cxx b/sfx2/source/appl/linkmgr2.cxx index 6a27fb4d8e08..701074bb9beb 100644 --- a/sfx2/source/appl/linkmgr2.cxx +++ b/sfx2/source/appl/linkmgr2.cxx @@ -497,6 +497,21 @@ bool LinkManager::GetGraphicFromAny( const OUString& rMimeType, css::uno::Sequence< sal_Int8 > aSeq; if( rValue.hasValue() && ( rValue >>= aSeq ) ) { + OUString sURL = rValue.get<OUString>(); + if (!SvtSecurityOptions().isUntrustedReferer(rReferer) && + !INetURLObject(sURL).IsExoticProtocol()) + { + rGraphic = vcl::graphic::loadFromURL(sURL, pParentWin); + } + if (rGraphic.IsNone()) + rGraphic.SetDefaultType(); + rGraphic.setOriginURL(sURL); + return true; + } + else if (rValue.has<css::uno::Sequence<sal_Int8>>()) + { + auto aSeq = rValue.get<css::uno::Sequence<sal_Int8>>(); + SvMemoryStream aMemStm( const_cast<sal_Int8 *>(aSeq.getConstArray()), aSeq.getLength(), StreamMode::READ ); aMemStm.Seek( 0 ); diff --git a/sw/source/filter/html/htmlgrin.cxx b/sw/source/filter/html/htmlgrin.cxx index 9d3ff89778b6..5965e6a856e8 100644 --- a/sw/source/filter/html/htmlgrin.cxx +++ b/sw/source/filter/html/htmlgrin.cxx @@ -586,6 +586,23 @@ IMAGE_SETEVENT: bool bSetScaleImageMap = false; sal_uInt8 nPrcWidth = 0, nPrcHeight = 0; + // bPrcWidth / bPrcHeight means we have a percent size. If that's not the case and we have no + // size from nWidth / nHeight either, then inspect the image header. + if ((!bPrcWidth && !nWidth) && (!bPrcHeight && !nHeight) && allowAccessLink(*m_xDoc) && + !aGraphicURL.IsExoticProtocol()) + { + GraphicDescriptor aDescriptor(aGraphicURL); + if (aDescriptor.Detect(/*bExtendedInfo=*/true)) + { + // Try to use size info from the image header before defaulting to + // HTML_DFLT_IMG_WIDTH/HEIGHT. + aTwipSz = Application::GetDefaultDevice()->PixelToLogic(aDescriptor.GetSizePixel(), + MapMode(MapUnit::MapTwip)); + nWidth = aTwipSz.getWidth(); + nHeight = aTwipSz.getHeight(); + } + } + if( !nWidth || !nHeight ) { // When the graphic is in a table, it will be requested immediately, diff --git a/toolkit/source/controls/unocontrols.cxx b/toolkit/source/controls/unocontrols.cxx index b2363d8b510b..03621c16e54a 100644 --- a/toolkit/source/controls/unocontrols.cxx +++ b/toolkit/source/controls/unocontrols.cxx @@ -38,6 +38,7 @@ #include <toolkit/controls/stdtabcontroller.hxx> #include <toolkit/helper/property.hxx> #include <toolkit/helper/servicenames.hxx> +#include <tools/urlobj.hxx> #include <toolkit/helper/macros.hxx> // for introspection @@ -91,7 +92,7 @@ css::uno::Reference< css::graphic::XGraphic > ImageHelper::getGraphicFromURL_nothrow( const OUString& _rURL ) { uno::Reference< graphic::XGraphic > xGraphic; - if ( _rURL.isEmpty() ) + if ( _rURL.isEmpty() || SvtSecurityOptions().isUntrustedReferer(referer) || INetURLObject(_rURL).IsExoticProtocol()) return xGraphic; try diff --git a/tools/source/fsys/urlobj.cxx b/tools/source/fsys/urlobj.cxx index 5219a4e30aa9..290d127ab458 100644 --- a/tools/source/fsys/urlobj.cxx +++ b/tools/source/fsys/urlobj.cxx @@ -4969,6 +4969,7 @@ bool INetURLObject::IsExoticProtocol() const return m_eScheme == INetProtocol::Slot || m_eScheme == INetProtocol::Macro || m_eScheme == INetProtocol::Uno || + m_eScheme == INetProtocol::VndSunStarExpand || isSchemeEqualTo(u"vnd.sun.star.script") || isSchemeEqualTo(u"service"); } diff --git a/unotools/source/misc/mediadescriptor.cxx b/unotools/source/misc/mediadescriptor.cxx index c8c2ec98ea91..3134cd7af113 100644 --- a/unotools/source/misc/mediadescriptor.cxx +++ b/unotools/source/misc/mediadescriptor.cxx @@ -599,6 +599,9 @@ bool MediaDescriptor::impl_openStreamWithPostData( const css::uno::Reference< cs /*-----------------------------------------------*/ bool MediaDescriptor::impl_openStreamWithURL( const OUString& sURL, bool bLockFile ) { + if (INetURLObject(sURL).IsExoticProtocol()) + return false; + OUString referer(getUnpackedValueOrDefault(PROP_REFERRER(), OUString())); if (SvtSecurityOptions().isUntrustedReferer(referer)) { return false; diff --git a/vcl/source/filter/graphicfilter.cxx b/vcl/source/filter/graphicfilter.cxx index 1638ae023eb9..de0da60b7573 100644 --- a/vcl/source/filter/graphicfilter.cxx +++ b/vcl/source/filter/graphicfilter.cxx @@ -1298,10 +1298,16 @@ sal_uInt16 GraphicFilter::CanImportGraphic( const OUString& rMainUrl, SvStream& sal_uInt16 GraphicFilter::ImportGraphic( Graphic& rGraphic, const INetURLObject& rPath, sal_uInt16 nFormat, sal_uInt16 * pDeterminedFormat, GraphicFilterImportFlags nImportFlags ) { - sal_uInt16 nRetValue = GRFILTER_FORMATERROR; SAL_WARN_IF( rPath.GetProtocol() == INetProtocol::NotValid, "vcl.filter", "GraphicFilter::ImportGraphic() : ProtType == INetProtocol::NotValid" ); OUString aMainUrl( rPath.GetMainURL( INetURLObject::DecodeMechanism::NONE ) ); + if (rPath.IsExoticProtocol()) + { + SAL_WARN("vcl.filter", "GraphicFilter::ImportGraphic(), ignore exotic protocol: " << aMainUrl); + return ERRCODE_GRFILTER_FORMATERROR; + } + + ErrCode nRetValue = ERRCODE_GRFILTER_FORMATERROR; std::unique_ptr<SvStream> xStream(::utl::UcbStreamHelper::CreateStream( aMainUrl, StreamMode::READ | StreamMode::SHARE_DENYNONE )); if (xStream) { commit 4023b01ac64ed3e7246c19d5dcbe9a7c481da15f Author: Caolán McNamara <[email protected]> AuthorDate: Fri Nov 8 16:51:47 2024 +0000 Commit: Thorsten Behrens <[email protected]> CommitDate: Mon Jan 13 01:38:17 2025 +0100 be conservative on allowed temp font names Change-Id: Iefdc1a8c9b4c7e8c08c84f747f8287ac3c419839 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/176236 Reviewed-by: Michael Stahl <[email protected]> Tested-by: Jenkins (cherry picked from commit f761d098e9a0960554aa4fc02f84a711b50a1cff) diff --git a/vcl/source/gdi/embeddedfontshelper.cxx b/vcl/source/gdi/embeddedfontshelper.cxx index d370c381b1f4..154b4a3d74e0 100644 --- a/vcl/source/gdi/embeddedfontshelper.cxx +++ b/vcl/source/gdi/embeddedfontshelper.cxx @@ -15,6 +15,8 @@ #include <rtl/bootstrap.hxx> #include <vcl/svapp.hxx> #include <vcl/embeddedfontshelper.hxx> +#include <com/sun/star/io/XInputStream.hpp> +#include <comphelper/storagehelper.hxx> #include "fontsubset.hxx" #include "outdev.h" @@ -161,10 +163,6 @@ bool EmbeddedFontsHelper::addEmbeddedFont( const uno::Reference< io::XInputStrea OUString EmbeddedFontsHelper::fileUrlForTemporaryFont( const OUString& fontName, const char* extra ) { - OUString path = "${$BRAND_BASE_DIR/" LIBO_ETC_FOLDER "/" SAL_CONFIGFILE( "bootstrap") "::UserInstallation}"; - rtl::Bootstrap::expandMacros( path ); - path += "/user/temp/embeddedfonts/fromdocs/"; - osl::Directory::createPath( path ); OUString filename = fontName; static int uniqueCounter = 0; if( strcmp( extra, "?" ) == 0 ) @@ -172,6 +170,17 @@ OUString EmbeddedFontsHelper::fileUrlForTemporaryFont( const OUString& fontName, else filename += OStringToOUString( extra, RTL_TEXTENCODING_ASCII_US ); filename += ".ttf"; // TODO is it always ttf? + + if (!::comphelper::OStorageHelper::IsValidZipEntryFileName(filename, false)) + { + SAL_WARN( "vcl.fonts", "Cannot use filename: " << filename << " for temporary font"); + filename = "font" + OUString::number(uniqueCounter++) + ".ttf"; + } + + OUString path = "${$BRAND_BASE_DIR/" LIBO_ETC_FOLDER "/" SAL_CONFIGFILE( "bootstrap") "::UserInstallation}"; + rtl::Bootstrap::expandMacros( path ); + path += "/user/temp/embeddedfonts/fromdocs/"; + osl::Directory::createPath( path ); return path + filename; } commit a3901fb286a23d36aa5da36644b78ed636e20a78 Author: Sarper Akdemir <[email protected]> AuthorDate: Tue Jun 11 12:39:36 2024 +0200 Commit: Thorsten Behrens <[email protected]> CommitDate: Fri Jan 10 18:49:41 2025 +0100 remove ability to trust not validated macro signatures in high security Giving the user the option to determine if they should trust an invalid signature in HIGH macro security doesn't make sense. CommonName of the signature is the most prominent feature presented and the CommonName of a certificate can be easily forged for an invalid signature, tricking the user into accepting an invalid signature. in the HIGH macro security setting only show the pop-up to enable/disable signed macro if the certificate signature can be validated. cherry-picked without UI/String altering bits for 24-2 Change-Id: Ia766fb701660160ee5dc9f6e077f4012a44ce721 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/168667 Tested-by: Jenkins Reviewed-by: Sarper Akdemir <[email protected]> (cherry picked from commit 2beaa3be3829303e948d401f492dbfd239d60aad) Reviewed-on: https://gerrit.libreoffice.org/c/core/+/169525 Reviewed-by: Thorsten Behrens <[email protected]> diff --git a/sfx2/source/doc/docmacromode.cxx b/sfx2/source/doc/docmacromode.cxx index 3453e0facaf0..bd7f8e8483c7 100644 --- a/sfx2/source/doc/docmacromode.cxx +++ b/sfx2/source/doc/docmacromode.cxx @@ -222,10 +222,18 @@ namespace sfx2 // check whether the document is signed with trusted certificate if ( nMacroExecutionMode != MacroExecMode::FROM_LIST ) { + SignatureState nSignatureState = m_xData->m_rDocumentAccess.getScriptingSignatureState(); + // the trusted macro check will also retrieve the signature state ( small optimization ) - bool bHasTrustedMacroSignature = m_xData->m_rDocumentAccess.hasTrustedScriptingSignature( nMacroExecutionMode != MacroExecMode::FROM_LIST_AND_SIGNED_NO_WARN ); + const SvtSecurityOptions aSecOption; + const bool bAllowUIToAddAuthor = nMacroExecutionMode != MacroExecMode::FROM_LIST_AND_SIGNED_NO_WARN + && (nMacroExecutionMode == MacroExecMode::ALWAYS_EXECUTE + || !aSecOption.IsReadOnly(SvtSecurityOptions::EOption::MacroTrustedAuthors)) + && (nMacroExecutionMode != MacroExecMode::FROM_LIST_AND_SIGNED_WARN + || nSignatureState == SignatureState::OK); + + const bool bHasTrustedMacroSignature = m_xData->m_rDocumentAccess.hasTrustedScriptingSignature(bAllowUIToAddAuthor); - SignatureState nSignatureState = m_xData->m_rDocumentAccess.getScriptingSignatureState(); if ( nSignatureState == SignatureState::BROKEN ) { return disallowMacroExecution(); commit 5e85169f35b13423b9b6163fbd704eb901f5e3c5 Author: Michael Stahl <[email protected]> AuthorDate: Wed Jul 3 18:00:38 2024 +0200 Commit: Thorsten Behrens <[email protected]> CommitDate: Fri Jan 10 18:45:41 2025 +0100 xmlsecurity: add unit test with docx that can only be opened with repair Change-Id: I4f705dd2124383a90b69d04d8b2de0e37f83a495 diff --git a/xmlsecurity/CppunitTest_xmlsecurity_signing.mk b/xmlsecurity/CppunitTest_xmlsecurity_signing.mk index 3bd0ad08a823..274200c67f8c 100644 --- a/xmlsecurity/CppunitTest_xmlsecurity_signing.mk +++ b/xmlsecurity/CppunitTest_xmlsecurity_signing.mk @@ -24,6 +24,7 @@ $(eval $(call gb_CppunitTest_use_libraries,xmlsecurity_signing, \ sfx \ test \ tl \ + ucbhelper \ unotest \ utl \ xmlsecurity \ diff --git a/xmlsecurity/qa/unit/signing/data/signature-forgery-cdh-lfh.docx b/xmlsecurity/qa/unit/signing/data/signature-forgery-cdh-lfh.docx new file mode 100644 index 000000000000..532705ecf0b5 Binary files /dev/null and b/xmlsecurity/qa/unit/signing/data/signature-forgery-cdh-lfh.docx differ diff --git a/xmlsecurity/qa/unit/signing/signing.cxx b/xmlsecurity/qa/unit/signing/signing.cxx index 9ed53cef4cec..ff9c6a325ab0 100644 --- a/xmlsecurity/qa/unit/signing/signing.cxx +++ b/xmlsecurity/qa/unit/signing/signing.cxx @@ -22,6 +22,9 @@ #include <test/xmltesttools.hxx> #include <com/sun/star/document/XStorageBasedDocument.hpp> +#include <com/sun/star/beans/XPropertySet.hpp> +#include <com/sun/star/document/MacroExecMode.hpp> +#include <com/sun/star/document/BrokenPackageRequest.hpp> #include <com/sun/star/embed/XStorage.hpp> #include <com/sun/star/embed/XTransactedObject.hpp> #include <com/sun/star/frame/Desktop.hpp> @@ -30,6 +33,7 @@ #include <com/sun/star/xml/crypto/SEInitializer.hpp> #include <com/sun/star/io/TempFile.hpp> #include <com/sun/star/packages/manifest/ManifestReader.hpp> +#include <com/sun/star/task/XInteractionApprove.hpp> #include <comphelper/processfactory.hxx> #include <sax/tools/converter.hxx> @@ -49,6 +53,13 @@ #include <xmlsignaturehelper.hxx> #include <documentsignaturemanager.hxx> #include <biginteger.hxx> +#include <certificate.hxx> +#include <xsecctl.hxx> +#include <ucbhelper/interceptedinteraction.hxx> +#include <sfx2/docfile.hxx> +#include <sfx2/docfilt.hxx> +#include <officecfg/Office/Common.hxx> +#include <comphelper/configuration.hxx> using namespace com::sun::star; @@ -894,6 +905,39 @@ void SigningTest::testXAdESGood() (nActual == SignatureState::NOTVALIDATED || nActual == SignatureState::OK)); } + +CPPUNIT_TEST_FIXTURE(SigningTest, testInvalidZIP) +{ +// set RepairPackage via interaction handler, same as soffice does +// - if it's passed to load the behavior is different, oddly enough. +#if 0 + std::vector<::ucbhelper::InterceptedInteraction::InterceptedRequest> interceptions{ + { css::uno::Any(css::document::BrokenPackageRequest()), + cppu::UnoType<css::task::XInteractionApprove>::get(), 0 }, + }; + ::rtl::Reference<ucbhelper::InterceptedInteraction> pIH(new ucbhelper::InterceptedInteraction); + pIH->setInterceptions(std::move(interceptions)); + + uno::Sequence<beans::PropertyValue> args = { comphelper::makePropertyValue( + "InteractionHandler", uno::Reference<task::XInteractionHandler>(pIH)) }; +#endif + OUString const url(m_directories.getURLFromSrc(DATA_DIRECTORY) + + "signature-forgery-cdh-lfh.docx"); + mxComponent = mxDesktop->loadComponentFromURL(url, "_default", 0, {} /*args*/); + SfxBaseModel* pBaseModel = dynamic_cast<SfxBaseModel*>(mxComponent.get()); + CPPUNIT_ASSERT(!pBaseModel); // old branch cannot repair DOCX +#if 0 + CPPUNIT_ASSERT(pBaseModel); + SfxObjectShell* pObjectShell = pBaseModel->GetObjectShell(); + CPPUNIT_ASSERT(pObjectShell); + // the problem was that the document Zip structure is interpreted + // misleadingly in RepairPackage case, but signature was still returned + // as partially valid. + CPPUNIT_ASSERT_EQUAL(static_cast<int>(SignatureState::BROKEN), + static_cast<int>(pObjectShell->GetDocumentSignatureState())); +#endif +} + void SigningTest::registerNamespaces(xmlXPathContextPtr& pXmlXpathCtx) { xmlXPathRegisterNs(pXmlXpathCtx, BAD_CAST("odfds"), BAD_CAST("urn:oasis:names:tc:opendocument:xmlns:digitalsignature:1.0")); commit 4cca799d1018d205363bf0e05b698e2ad3d848c6 Author: Michael Stahl <[email protected]> AuthorDate: Tue Jul 2 13:24:38 2024 +0200 Commit: Thorsten Behrens <[email protected]> CommitDate: Fri Jan 10 18:41:12 2025 +0100 sfx2: SfxObjectShell should not trust any signature on repaired package Change-Id: I0317f80989e9dabd23e88e3caab26ede3fb5bd56 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/169883 Tested-by: Jenkins Reviewed-by: Michael Stahl <[email protected]> (cherry picked from commit 8b333575ee680664fa3d83249ccec90881754ad7) Reviewed-on: https://gerrit.libreoffice.org/c/core/+/169930 Reviewed-by: Caolán McNamara <[email protected]> (cherry picked from commit 05b9e388448b1c8c10b18c22898c4725dd176fed) diff --git a/sfx2/source/doc/objserv.cxx b/sfx2/source/doc/objserv.cxx index 17964b3a5dc6..346008fd1039 100644 --- a/sfx2/source/doc/objserv.cxx +++ b/sfx2/source/doc/objserv.cxx @@ -1343,6 +1343,13 @@ SignatureState SfxObjectShell::ImplGetSignatureState( bool bScriptingContent ) { SignatureState* pState = bScriptingContent ? &pImpl->nScriptingSignatureState : &pImpl->nDocumentSignatureState; + // repaired package cannot be trusted + SfxBoolItem const*const pRepairItem{static_cast<SfxBoolItem const*>(GetMedium()->GetItemSet()->GetItem(SID_REPAIRPACKAGE, false))}; + if (pRepairItem && pRepairItem->GetValue()) + { + *pState = SignatureState::BROKEN; + } + if ( *pState == SignatureState::UNKNOWN ) { *pState = SignatureState::NOSIGNATURES;
