subject:"\[Libreoffice\-commits\] online.git\: loleaflet\/html loleaflet\/src wsd\/FileServer.cpp"

[Libreoffice-commits] online.git: loleaflet/html loleaflet/src wsd/FileServer.cpp

2020-04-16 Thread Muhammet Kara (via logerrit)

 loleaflet/html/loleaflet.html.m4 |2 ++
 loleaflet/src/control/Toolbar.js |5 -
 wsd/FileServer.cpp   |5 +
 3 files changed, 11 insertions(+), 1 deletion(-)

New commits:
commit aaf1fa4fc610323fd539d1480ef057e123f98790
Author: Muhammet Kara 
AuthorDate: Thu Apr 16 00:59:43 2020 +0300
Commit: Jan Holesovsky 
CommitDate: Thu Apr 16 11:37:08 2020 +0200

Welcome: Pass welcome value from loolwsd.xml to the JS side

Now we have window.enableWelcomeMessage on the JS side to avoid any
queries at all when the feature is disabled.

Change-Id: I8420089f775bfbf5bcd557c7c720172fbce8c22e
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/92338
Tested-by: Jenkins CollaboraOffice 
Reviewed-by: Jan Holesovsky 

diff --git a/loleaflet/html/loleaflet.html.m4 b/loleaflet/html/loleaflet.html.m4
index dca62ada1..c8d51f0f0 100644
--- a/loleaflet/html/loleaflet.html.m4
+++ b/loleaflet/html/loleaflet.html.m4
@@ -234,6 +234,7 @@ m4_ifelse(MOBILEAPP,[true],
   window.accessTokenTTL = '';
   window.accessHeader = '';
   window.loleafletLogging = 'true';
+  window.enableWelcomeMessage = false;
   window.outOfFocusTimeoutSecs = 100;
   window.idleTimeoutSecs = 100;
   window.reuseCookies = '';
@@ -246,6 +247,7 @@ m4_ifelse(MOBILEAPP,[true],
   window.accessTokenTTL = '%ACCESS_TOKEN_TTL%';
   window.accessHeader = '%ACCESS_HEADER%';
   window.loleafletLogging = '%LOLEAFLET_LOGGING%';
+  window.enableWelcomeMessage = %ENABLE_WELCOME_MSG%;
   window.outOfFocusTimeoutSecs = %OUT_OF_FOCUS_TIMEOUT_SECS%;
   window.idleTimeoutSecs = %IDLE_TIMEOUT_SECS%;
   window.reuseCookies = '%REUSE_COOKIES%';
diff --git a/loleaflet/src/control/Toolbar.js b/loleaflet/src/control/Toolbar.js
index e6f1a7e6f..4e17dece2 100644
--- a/loleaflet/src/control/Toolbar.js
+++ b/loleaflet/src/control/Toolbar.js
@@ -424,12 +424,15 @@ L.Map.include({
},
 
shouldWelcome: function() {
+   if (!window.enableWelcomeMessage || L.Browser.cypressTest)
+   return false;
+
var currentVerCookie = this.getCookie('WSDWelcomeVersion');
var newVerCookie = 'WSDWelcomeVersion=' + 
this._socket.WSDServer.Version;
var welcomeDisabledCookie = 
this.getCookie('WSDWelcomeDisabled');
var isWelcomeDisabled = welcomeDisabledCookie === 
'WSDWelcomeDisabled=true';
 
-   if (currentVerCookie !== newVerCookie && !isWelcomeDisabled && 
!L.Browser.cypressTest) {
+   if (currentVerCookie !== newVerCookie && !isWelcomeDisabled) {
return true;
}
 
diff --git a/wsd/FileServer.cpp b/wsd/FileServer.cpp
index 027655dc9..5a973bc01 100644
--- a/wsd/FileServer.cpp
+++ b/wsd/FileServer.cpp
@@ -736,6 +736,11 @@ void FileServerRequestHandler::preprocessFile(const 
HTTPRequest& request, Poco::
 const std::string idleTimeoutSecs= 
config.getString("per_view.idle_timeout_secs", "900");
 Poco::replaceInPlace(preprocess, std::string("%IDLE_TIMEOUT_SECS%"), 
idleTimeoutSecs);
 
+std::string enableWelcomeMessage = "false";
+if (config.getBool("welcome.enable", false))
+enableWelcomeMessage = "true";
+Poco::replaceInPlace(preprocess, std::string("%ENABLE_WELCOME_MSG%"), 
enableWelcomeMessage);
+
 // Capture cookies so we can optionally reuse them for the storage 
requests.
 {
 NameValueCollection cookies;
___
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits

[Libreoffice-commits] online.git: loleaflet/html loleaflet/src wsd/FileServer.cpp

2020-01-15 Thread Michael Meeks (via logerrit)

 loleaflet/html/loleaflet.html.m4  |2 +
 loleaflet/src/map/handler/Map.WOPI.js |   54 --
 wsd/FileServer.cpp|   28 +
 3 files changed, 68 insertions(+), 16 deletions(-)

New commits:
commit b5f58fbe8c4f283d10def377c8a687245312fa1f
Author: Michael Meeks 
AuthorDate: Tue Jan 14 16:56:01 2020 +
Commit: Jan Holesovsky 
CommitDate: Wed Jan 15 10:56:27 2020 +0100

postMessage CSS checking improvements.

Ironically our attempts to double-check message origin against our
parent was blowing a security exception.

Instead send the list of origins we will accept from WSD, and
check them ourselves (as well as the browser check).

Why make it so hard to check that a postMessage comes from an
ancestor frame ?

Change-Id: I1311be3e1d68a31cfdc96b45a5eb5dd7f26e7ea9
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/86788
Tested-by: Jenkins CollaboraOffice 
Reviewed-by: Alexandru Vlăduţu 
Reviewed-by: Jan Holesovsky 

diff --git a/loleaflet/html/loleaflet.html.m4 b/loleaflet/html/loleaflet.html.m4
index ad6d90f4b..4addf8955 100644
--- a/loleaflet/html/loleaflet.html.m4
+++ b/loleaflet/html/loleaflet.html.m4
@@ -231,6 +231,7 @@ ifelse(MOBILEAPP,[true],
   window.idleTimeoutSecs = 100;
   window.reuseCookies = '';
   window.protocolDebug = false;
+  window.frameAncestors = '';
   window.tileSize = 256;],
  [window.host = '%HOST%';
   window.serviceRoot = '%SERVICE_ROOT%';
@@ -242,6 +243,7 @@ ifelse(MOBILEAPP,[true],
   window.idleTimeoutSecs = %IDLE_TIMEOUT_SECS%;
   window.reuseCookies = '%REUSE_COOKIES%';
   window.protocolDebug = %PROTOCOL_DEBUG%;
+  window.frameAncestors = '%FRAME_ANCESTORS%';
   window.tileSize = 256;])
 syscmd([cat ]GLOBAL_JS)dnl
 
diff --git a/loleaflet/src/map/handler/Map.WOPI.js 
b/loleaflet/src/map/handler/Map.WOPI.js
index dcd401407..89f01ec53 100644
--- a/loleaflet/src/map/handler/Map.WOPI.js
+++ b/loleaflet/src/map/handler/Map.WOPI.js
@@ -141,13 +141,61 @@ L.Map.WOPI = L.Handler.extend({
this._map.fire('postMessage', {msgId: 'App_LoadingStatus', 
args: {Status: 'Document_Loaded', DocumentLoadedTime: 
this.DocumentLoadedTime}});
},
 
-   _postMessageListener: function(e) {
+   // Naturally we set a CSP to catch badness, but check here as well.
+   // Checking whether a message came from our iframe's parents is
+   // un-necessarily difficult.
+   _allowMessageOrigin: function(e) {
+   // cache - to avoid regexps.
+   if (this._cachedGoodOrigin && this._cachedGoodOrigin === 
e.origin)
+   return true;
 
// e.origin === 'null' when sandboxed (i.e. when the parent is 
a file on local filesystem).
-   if (e.origin !== 'null' && e.origin !== window.parent.origin) {
-   return;
+   if (e.origin === 'null')
+   return true;
+   try {
+   if (e.origin === window.parent.origin)
+   return true;
+   } catch (secErr) { // security error de-referencing 
window.parent.origin.
+   }
+
+   // sent from the server
+   var i;
+   if (!this._allowedOrigins && window.frameAncestors)
+   {
+   var ancestors = window.frameAncestors.trim().split(' ');
+   this._allowedOrigins = ancestors;
+   // convert to JS regexps from localhost:* to 
https*://localhost:.*
+   for (i = 0; i < ancestors.length; i++) {
+   this._allowedOrigins[i] = 'https*://' + 
ancestors[i].replace(/:\*/, ':.*');
+   }
+   }
+
+   if (this._allowedOrigins)
+   {
+   for (i = 0; i < this._allowedOrigins.length; i++) {
+   if (e.origin.match(this._allowedOrigins[i]))
+   {
+   this._cachedGoodOrigin = e.origin;
+   return true;
+   }
+   }
}
 
+   // chrome only
+   if (window.location.ancestorOrigins &&
+   window.location.ancestorOrigins.contains(e.origin))
+   {
+   this._cachedGoodOrigin = e.origin;
+   return true;
+   }
+
+   return false;
+   },
+
+   _postMessageListener: function(e) {
+   if (!this._allowMessageOrigin(e))
+   return;
+
var msg;
try {
msg = JSON.parse(e.data);
diff --git a/wsd/FileServer.cpp b/wsd/FileServer.cpp
index 3cf3fbc51..07ac439b3 100644

[Libreoffice-commits] online.git: loleaflet/html loleaflet/src wsd/FileServer.cpp

[Libreoffice-commits] online.git: loleaflet/html loleaflet/src wsd/FileServer.cpp

2 matches

Site Navigation

Mail list logo

Footer information