[openoffice] 02/03: Scripts check their "Referer". Menu choices always set a trusted "Referer".

Tue, 31 Jan 2023 13:21:35 -0800 

This is an automated email from the ASF dual-hosted git repository.

ardovm pushed a commit to branch referer41X
in repository https://gitbox.apache.org/repos/asf/openoffice.git

commit 34168885395d9d2a8bce2305f61aefe736444366
Author: Arrigo Marchiori <[email protected]>
AuthorDate: Sat Jan 28 16:20:02 2023 +0100

    Scripts check their "Referer". Menu choices always set a trusted "Referer".
    
    (cherry picked and adapted from commit 
98c68b91f53a89d44b8d4d563791eeb186d6d605)
---
 main/framework/source/uielement/menubarmanager.cxx | 10 ++----
 .../source/protocolhandler/scripthandler.cxx       | 39 +++++++++++-----------
 2 files changed, 23 insertions(+), 26 deletions(-)

diff --git a/main/framework/source/uielement/menubarmanager.cxx 
b/main/framework/source/uielement/menubarmanager.cxx
index 5c32b20c94..ef6c2dc87b 100644
--- a/main/framework/source/uielement/menubarmanager.cxx
+++ b/main/framework/source/uielement/menubarmanager.cxx
@@ -1133,13 +1133,9 @@ IMPL_LINK( MenuBarManager, Select, Menu *, pMenu )
                                        aTargetURL.Complete = 
pMenuItemHandler->aMenuItemURL;
                     m_xURLTransformer->parseStrict( aTargetURL );
 
-                    if ( m_bIsBookmarkMenu )
-                                       {
-                                               // bookmark menu item selected
-                                               aArgs.realloc( 1 );
-                                               aArgs[0].Name = 
::rtl::OUString( RTL_CONSTASCII_USTRINGPARAM( "Referer" ));
-                                               aArgs[0].Value <<= 
::rtl::OUString( RTL_CONSTASCII_USTRINGPARAM( SFX_REFERER_USER ));
-                                       }
+                    aArgs.realloc( 1 );
+                    aArgs[0].Name = ::rtl::OUString( 
RTL_CONSTASCII_USTRINGPARAM( "Referer" ));
+                    aArgs[0].Value <<= ::rtl::OUString( 
RTL_CONSTASCII_USTRINGPARAM( SFX_REFERER_USER ));
 
                                        xDispatch = 
pMenuItemHandler->xMenuItemDispatch;
                                }
diff --git a/main/scripting/source/protocolhandler/scripthandler.cxx 
b/main/scripting/source/protocolhandler/scripthandler.cxx
index 1d8d267b7a..3de168b659 100644
--- a/main/scripting/source/protocolhandler/scripthandler.cxx
+++ b/main/scripting/source/protocolhandler/scripthandler.cxx
@@ -154,14 +154,32 @@ void SAL_CALL 
ScriptProtocolHandler::dispatchWithNotification(
     Any invokeResult;
        bool bCaughtException = sal_False;
        Any aException;
+    Sequence< Any > inArgs( 0 );
 
     if ( m_bInitialised )
     {
+        ::rtl::OUString aReferer;
+        if ( lArgs.getLength() > 0 )
+        {
+            int argCount = 0;
+            for ( int index = 0; index < lArgs.getLength(); index++ )
+            {
+                // The propertyval named "Referer"
+                // is not an argument to be passed to script
+                if ( lArgs[ index ].Name.compareToAscii("Referer") == 0 ) {
+                    lArgs [ index ].Value >>= aReferer;
+                } else {
+                    inArgs.realloc( ++argCount );
+                    inArgs[ argCount - 1 ] = lArgs[ index ].Value;
+                }
+            }
+        }
         try
         {
             ::rtl::OUString xStringUri = ::rtl::Uri::decode( aURL.Complete,
                 rtl_UriDecodeWithCharset, RTL_TEXTENCODING_UTF8 );
             bool bIsDocumentScript = ( xStringUri.indexOfAsciiL( 
RTL_CONSTASCII_STRINGPARAM( "document" ) ) !=-1 );
+            bool bRefererIsTrusted = ( aReferer.compareToAscii("private:", 8) 
== 0 );
 
             // obtain the component for our security check. We could check 
bIsDocumentScript but the "location" could be forged
             if ( getScriptInvocation() ) {
@@ -169,7 +187,8 @@ void SAL_CALL 
ScriptProtocolHandler::dispatchWithNotification(
                     xDocumentScripts.set( 
m_xScriptInvocation->getScriptContainer(), UNO_SET_THROW );
 
                 OSL_ENSURE( xDocumentScripts.is(), 
"ScriptProtocolHandler::dispatchWithNotification: can't do the security check!" 
);
-                if ( !xDocumentScripts.is() || 
!xDocumentScripts->getAllowMacroExecution() )
+                if ( !xDocumentScripts.is() ||
+                     ( !bRefererIsTrusted && 
!xDocumentScripts->getAllowMacroExecution() ) )
                     return;
             }
 
@@ -182,27 +201,9 @@ void SAL_CALL 
ScriptProtocolHandler::dispatchWithNotification(
                 "ScriptProtocolHandler::dispatchWithNotification: validate 
xFunc - unable to obtain XScript interface" );
 
            
-            Sequence< Any > inArgs( 0 );
             Sequence< Any > outArgs( 0 );
             Sequence< sal_Int16 > outIndex;
 
-            if ( lArgs.getLength() > 0 )
-            {
-               int argCount = 0;
-               for ( int index = 0; index < lArgs.getLength(); index++ )
-               {
-                   // Sometimes we get a propertyval with name = "Referer"
-                   // this is not an argument to be passed to script, so
-                   // ignore.
-                   if ( lArgs[ index ].Name.compareToAscii("Referer") != 0  ||
-                        lArgs[ index ].Name.getLength() == 0 )
-                   {
-                       inArgs.realloc( ++argCount ); 
-                       inArgs[ argCount - 1 ] = lArgs[ index ].Value;
-                   }
-               }
-            }
-
             // attempt to protect the document against the script tampering 
with its Undo Context
             ::std::auto_ptr< ::framework::DocumentUndoGuard > pUndoGuard;
             if ( bIsDocumentScript )

Reply via email to