desktop/source/lib/init.cxx | 8 ++++---- include/tools/hostfilter.hxx | 2 ++ tools/source/inet/hostfilter.cxx | 14 +++++++++++++- 3 files changed, 19 insertions(+), 5 deletions(-)
New commits: commit 042ffad714351189fb0c4f3b394147ed5e6bccea Author: Méven Car <[email protected]> AuthorDate: Thu Nov 13 12:28:58 2025 +0100 Commit: Tomaž Vajngerl <[email protected]> CommitDate: Wed Nov 19 13:21:52 2025 +0100 HostFilter: Allow to disable SSL Host verification for allowed hosts LOK_HOST_ALLOWLIST allows to pass a restricted list of hosts that curlsession will be allowed to download from. LOK_HOST_ALLOWLIST_EXEMPT_VERIFY_HOST reuses this list for the use case of not verifying SSL host additionaly for them. This is useful for say developpement environement. Change-Id: I75ac26a4bfe1c33ff183c4ad12391b2da08593cb Reviewed-on: https://gerrit.libreoffice.org/c/core/+/193961 Tested-by: Jenkins CollaboraOffice <[email protected]> Reviewed-by: Tomaž Vajngerl <[email protected]> (cherry picked from commit 8688e9d8c94a21a7a0abc9edfe632e6fa0e94281) Reviewed-on: https://gerrit.libreoffice.org/c/core/+/194187 Tested-by: Jenkins Reviewed-by: Méven Car <[email protected]> diff --git a/desktop/source/lib/init.cxx b/desktop/source/lib/init.cxx index cffbfcafe6df..4fefc4cf908b 100644 --- a/desktop/source/lib/init.cxx +++ b/desktop/source/lib/init.cxx @@ -8339,11 +8339,11 @@ static int lo_initialize(LibreOfficeKit* pThis, const char* pAppPath, const char rtl_alloc_preInit(2); #endif - char* pAllowlist = ::getenv("LOK_HOST_ALLOWLIST"); - if (pAllowlist) - { + if (const char* pAllowlist = ::getenv("LOK_HOST_ALLOWLIST")) HostFilter::setAllowedHostsRegex(pAllowlist); - } + + if (const char* pHostExemptVerifyHost = ::getenv("LOK_HOST_ALLOWLIST_EXEMPT_VERIFY_HOST")) + HostFilter::setAllowedHostsExemptVerifyHost(strncmp(pHostExemptVerifyHost,"1", 1) == 0); // What stage are we at ? if (pThis == nullptr) diff --git a/include/tools/hostfilter.hxx b/include/tools/hostfilter.hxx index ca2d91355986..8e992b407bbb 100644 --- a/include/tools/hostfilter.hxx +++ b/include/tools/hostfilter.hxx @@ -20,6 +20,8 @@ class TOOLS_DLLPUBLIC HostFilter public: static void setAllowedHostsRegex(const char* sAllowedRegex); + static void setAllowedHostsExemptVerifyHost(bool allowedHostExceptVerifyHost); + static bool isForbidden(const OUString& rHost); static void setExemptVerifyHost(const OUString& rExemptVerifyHost); diff --git a/tools/source/inet/hostfilter.cxx b/tools/source/inet/hostfilter.cxx index e13e3d66cab6..75ade47489af 100644 --- a/tools/source/inet/hostfilter.cxx +++ b/tools/source/inet/hostfilter.cxx @@ -13,6 +13,7 @@ static std::regex g_AllowedHostsRegex(""); static OUString g_ExceptVerifyHost; static bool g_AllowedHostsSet = false; +static bool g_AllowedHostsExemptVerifyHost = false; void HostFilter::setAllowedHostsRegex(const char* sAllowedRegex) { @@ -21,6 +22,11 @@ void HostFilter::setAllowedHostsRegex(const char* sAllowedRegex) g_AllowedHostsRegex = sAllowedRegex; } +void HostFilter::setAllowedHostsExemptVerifyHost(bool allowedHostsExemptVerifyHost) +{ + g_AllowedHostsExemptVerifyHost = allowedHostsExemptVerifyHost; +} + bool HostFilter::isForbidden(const OUString& rHost) { if (!g_AllowedHostsSet) @@ -36,7 +42,13 @@ void HostFilter::setExemptVerifyHost(const OUString& rExemptVerifyHost) bool HostFilter::isExemptVerifyHost(const std::u16string_view rHost) { - return rHost == g_ExceptVerifyHost; + if (rHost == g_ExceptVerifyHost) + return true; + + if (g_AllowedHostsSet && g_AllowedHostsExemptVerifyHost) + return std::regex_match(OUString(rHost).toUtf8().getStr(), g_AllowedHostsRegex); + + return false; } /* vim:set shiftwidth=4 softtabstop=4 expandtab cinoptions=b1,g0,N-s cinkeys+=0=break: */
