[Libreoffice-commits] core.git: Branch 'distro/cib/libreoffice-6-4' - sfx2/source

Wed, 15 Mar 2023 18:52:46 -0700 

 sfx2/source/doc/iframe.cxx        |    4 ++++
 sfx2/source/inc/eventsupplier.hxx |    1 -
 2 files changed, 4 insertions(+), 1 deletion(-)

New commits:
commit 6ce7620a163e9f03c3b4f43162a84e0347ae5b10
Author:     Samuel Mehrbrodt <[email protected]>
AuthorDate: Mon Feb 27 15:27:24 2023 +0100
Commit:     Thorsten Behrens <[email protected]>
CommitDate: Thu Mar 16 01:52:20 2023 +0000

    Check iframe target for allowed document URLs
    
    Change-Id: I00e4192becbc160282a43ab89dcd269f3d1012d8
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/147919
    Tested-by: Jenkins
    Reviewed-by: Samuel Mehrbrodt <[email protected]>
    (cherry picked from commit 288c0920a8475f9f2c537212e04aa7649192ad8c)
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/148230
    Tested-by: Thorsten Behrens <[email protected]>
    Reviewed-by: Thorsten Behrens <[email protected]>

diff --git a/sfx2/source/doc/iframe.cxx b/sfx2/source/doc/iframe.cxx
index aea851894286..c8c0c76357e7 100644
--- a/sfx2/source/doc/iframe.cxx
+++ b/sfx2/source/doc/iframe.cxx
@@ -46,6 +46,7 @@
 #include <vcl/window.hxx>
 #include <tools/debug.hxx>
 #include <macroloader.hxx>
+#include <eventsupplier.hxx>
 
 using namespace ::com::sun::star;
 
@@ -174,6 +175,9 @@ sal_Bool SAL_CALL IFrameObject::load(
                 return false;
         }
 
+        if (!SfxEvents_Impl::isScriptURLAllowed(aTargetURL.Complete))
+            return false;
+
         DBG_ASSERT( !mxFrame.is(), "Frame already existing!" );
         VclPtr<vcl::Window> pParent = VCLUnoHelper::GetWindow( 
xFrame->getContainerWindow() );
         VclPtr<IFrameWindow_Impl> pWin = VclPtr<IFrameWindow_Impl>::Create( 
pParent, maFrmDescr.IsFrameBorderOn() );
diff --git a/sfx2/source/inc/eventsupplier.hxx 
b/sfx2/source/inc/eventsupplier.hxx
index 4624ed8b4907..d24345dba1c5 100644
--- a/sfx2/source/inc/eventsupplier.hxx
+++ b/sfx2/source/inc/eventsupplier.hxx
@@ -87,7 +87,6 @@ public:
                                     SfxObjectShell* i_document );
     static void Execute( css::uno::Any const & aEventData, const 
css::document::DocumentEvent& aTrigger, SfxObjectShell* pDoc );
 
-private:
     /// Check if script URL whitelist exists, and if so, if current script url 
is part of it
     static bool isScriptURLAllowed(const OUString& aScriptURL);
 };

Reply via email to