cppcanvas/source/mtfrenderer/emfplus.cxx | 3 + librelogo/source/LibreLogo/LibreLogo.py | 51 ++++++++++++++++++++- sfx2/source/doc/objmisc.cxx | 13 +++++ sw/inc/unosett.hxx | 2 sw/source/core/text/porfld.cxx | 4 - sw/source/core/text/porfld.hxx | 1 sw/source/core/text/txtfld.cxx | 12 ++++ sw/source/core/unocore/unosett.cxx | 15 ++++-- sw/source/uibase/config/StoredChapterNumbering.cxx | 2 9 files changed, 94 insertions(+), 9 deletions(-)
New commits: commit 07ae8ec9a17c7c1dd7897c8d9494c7395e6d838b Author: Stephan Bergmann <sberg...@redhat.com> AuthorDate: Fri Jun 7 09:28:12 2019 +0200 Commit: Michael Stahl <michael.st...@cib.de> CommitDate: Tue Jun 18 13:52:23 2019 +0200 More uses of referer URL with SvxBrushItem Reviewed-on: https://gerrit.libreoffice.org/73643 Tested-by: Jenkins Reviewed-by: Stephan Bergmann <sberg...@redhat.com> (cherry picked from commit b518882de8213ef71a8003f95fbdf7689069c06d) Conflicts: sw/source/core/text/porfld.cxx sw/source/core/unocore/unosett.cxx Reviewed-on: https://gerrit.libreoffice.org/73860 Tested-by: Jenkins Reviewed-by: Miklos Vajna <vmik...@collabora.com> (cherry picked from commit 87c418a98650ab6e4a62a0b4b72e02fee358dced) Change-Id: I04b524784df4ef453d8b1feec13b62f183a17e23 diff --git a/sw/inc/unosett.hxx b/sw/inc/unosett.hxx index 96668f3680c0..d26a644d48d4 100644 --- a/sw/inc/unosett.hxx +++ b/sw/inc/unosett.hxx @@ -210,7 +210,7 @@ public: static css::uno::Sequence<css::beans::PropertyValue> GetPropertiesForNumFormat( const SwNumFormat& rFormat, OUString const& rCharFormatName, - OUString const* pHeadingStyleName); + OUString const* pHeadingStyleName, OUString const & referer); static void SetPropertiesToNumFormat( SwNumFormat & aFormat, OUString & rCharStyleName, diff --git a/sw/source/core/text/porfld.cxx b/sw/source/core/text/porfld.cxx index 0e7b5e97c1eb..f614be78559b 100644 --- a/sw/source/core/text/porfld.cxx +++ b/sw/source/core/text/porfld.cxx @@ -754,7 +754,7 @@ SwBulletPortion::SwBulletPortion( const sal_Unicode cBullet, SwGrfNumPortion::SwGrfNumPortion( const OUString& rGraphicFollowedBy, - const SvxBrushItem* pGrfBrush, + const SvxBrushItem* pGrfBrush, OUString const & referer, const SwFormatVertOrient* pGrfOrient, const Size& rGrfSize, const bool bLft, const bool bCntr, const sal_uInt16 nMinDst, const bool bLabelAlignmentPosAndSpaceModeActive ) : @@ -768,7 +768,7 @@ SwGrfNumPortion::SwGrfNumPortion( if( pGrfBrush ) { *pBrush = *pGrfBrush; - const Graphic* pGraph = pGrfBrush->GetGraphic(); + const Graphic* pGraph = pGrfBrush->GetGraphic(referer); if( pGraph ) SetAnimated( pGraph->IsAnimated() ); else diff --git a/sw/source/core/text/porfld.hxx b/sw/source/core/text/porfld.hxx index 88146081d247..157ba19898a8 100644 --- a/sw/source/core/text/porfld.hxx +++ b/sw/source/core/text/porfld.hxx @@ -168,6 +168,7 @@ class SwGrfNumPortion : public SwNumberPortion public: SwGrfNumPortion( const OUString& rGraphicFollowedBy, const SvxBrushItem* pGrfBrush, + OUString const & referer, const SwFormatVertOrient* pGrfOrient, const Size& rGrfSize, const bool bLeft, diff --git a/sw/source/core/text/txtfld.cxx b/sw/source/core/text/txtfld.cxx index faa5fa153ae3..5fbbc2447983 100644 --- a/sw/source/core/text/txtfld.cxx +++ b/sw/source/core/text/txtfld.cxx @@ -52,6 +52,7 @@ #include "flddat.hxx" #include "fmtautofmt.hxx" #include <IDocumentSettingAccess.hxx> +#include <sfx2/docfile.hxx> #include <svl/itemiter.hxx> static bool lcl_IsInBody( SwFrame *pFrame ) @@ -478,8 +479,17 @@ SwNumberPortion *SwTextFormatter::NewNumberPortion( SwTextFormatInfo &rInf ) con if( SVX_NUM_BITMAP == rNumFormat.GetNumberingType() ) { + OUString referer; + if (auto const sh1 = rInf.GetVsh()) { + if (auto const doc = sh1->GetDoc()) { + auto const sh2 = doc->GetPersist(); + if (sh2 != nullptr && sh2->HasName()) { + referer = sh2->GetMedium()->GetName(); + } + } + } pRet = new SwGrfNumPortion( pTextNd->GetLabelFollowedBy(), - rNumFormat.GetBrush(), + rNumFormat.GetBrush(), referer, rNumFormat.GetGraphicOrientation(), rNumFormat.GetGraphicSize(), bLeft, bCenter, nMinDist, diff --git a/sw/source/core/unocore/unosett.cxx b/sw/source/core/unocore/unosett.cxx index 80268724eb62..6ccff0bffc00 100644 --- a/sw/source/core/unocore/unosett.cxx +++ b/sw/source/core/unocore/unosett.cxx @@ -57,6 +57,7 @@ #include <vcl/font.hxx> #include <editeng/flstitem.hxx> #include <vcl/metric.hxx> +#include <sfx2/docfile.hxx> #include <svtools/ctrltool.hxx> #include <osl/mutex.hxx> #include <vcl/svapp.hxx> @@ -1322,13 +1323,21 @@ uno::Sequence<beans::PropertyValue> SwXNumberingRules::GetNumberingRuleByIndex( SwStyleNameMapper::FillProgName(sValue, aUString, SwGetPoolIdFromName::TxtColl, true); } - return GetPropertiesForNumFormat(rFormat, CharStyleName, (pDocShell) ? & aUString : nullptr); + OUString referer; + if (pDoc != nullptr) { + auto const sh = pDoc->GetPersist(); + if (sh != nullptr && sh->HasName()) { + referer = sh->GetMedium()->GetName(); + } + } + return GetPropertiesForNumFormat( + rFormat, CharStyleName, (pDocShell) ? & aUString : nullptr, referer); } uno::Sequence<beans::PropertyValue> SwXNumberingRules::GetPropertiesForNumFormat( const SwNumFormat& rFormat, OUString const& rCharFormatName, - OUString const*const pHeadingStyleName) + OUString const*const pHeadingStyleName, OUString const & referer) { bool bChapterNum = pHeadingStyleName != nullptr; @@ -1460,7 +1469,7 @@ uno::Sequence<beans::PropertyValue> SwXNumberingRules::GetPropertiesForNumFormat //graphicbitmap const Graphic* pGraphic = nullptr; if(pBrush ) - pGraphic = pBrush->GetGraphic(); + pGraphic = pBrush->GetGraphic(referer); if(pGraphic) { uno::Reference<awt::XBitmap> xBmp = VCLUnoHelper::CreateBitmap( pGraphic->GetBitmapEx() ); diff --git a/sw/source/uibase/config/StoredChapterNumbering.cxx b/sw/source/uibase/config/StoredChapterNumbering.cxx index 0a129288517f..80df2bea9825 100644 --- a/sw/source/uibase/config/StoredChapterNumbering.cxx +++ b/sw/source/uibase/config/StoredChapterNumbering.cxx @@ -129,7 +129,7 @@ public: OUString dummy; // pass in empty HeadingStyleName - can't import anyway uno::Sequence<beans::PropertyValue> const ret( SwXNumberingRules::GetPropertiesForNumFormat( - *pNumFormat, *pCharStyleName, &dummy)); + *pNumFormat, *pCharStyleName, &dummy, "")); return uno::makeAny(ret); } commit 6ac17fe50205afb227e7a36c2ffbcc62bc76c0d5 Author: Caolán McNamara <caol...@redhat.com> AuthorDate: Fri Jun 7 14:04:07 2019 +0100 Commit: Michael Stahl <michael.st...@cib.de> CommitDate: Tue Jun 18 13:51:54 2019 +0200 explictly exclude LibreLogo from XScript usage Change-Id: I567647f0e2f8b82e4ef2995c673abe82f4564228 Reviewed-on: https://gerrit.libreoffice.org/73659 Tested-by: Jenkins Reviewed-by: Caolán McNamara <caol...@redhat.com> Tested-by: Caolán McNamara <caol...@redhat.com> (cherry picked from commit cb0024e3668979dfdef44db5aa15ddfaf035e695) diff --git a/sfx2/source/doc/objmisc.cxx b/sfx2/source/doc/objmisc.cxx index ddb8cfb7098f..7ad7561de628 100644 --- a/sfx2/source/doc/objmisc.cxx +++ b/sfx2/source/doc/objmisc.cxx @@ -1357,6 +1357,16 @@ namespace } } +namespace { + +// don't allow LibreLogo to be used with our mouseover/etc dom-alike events +bool UnTrustedScript(const OUString& rScriptURL) +{ + return rScriptURL.startsWithIgnoreAsciiCase("vnd.sun.star.script:LibreLogo"); +} + +} + ErrCode SfxObjectShell::CallXScript( const Reference< XInterface >& _rxScriptContext, const OUString& _rScriptURL, const Sequence< Any >& aParams, Any& aRet, Sequence< sal_Int16 >& aOutParamIndex, Sequence< Any >& aOutParam, bool bRaiseError, const css::uno::Any* pCaller ) { @@ -1369,6 +1379,9 @@ ErrCode SfxObjectShell::CallXScript( const Reference< XInterface >& _rxScriptCon if ( bIsDocumentScript && !lcl_isScriptAccessAllowed_nothrow( _rxScriptContext ) ) return ERRCODE_IO_ACCESSDENIED; + if ( UnTrustedScript(_rScriptURL) ) + return ERRCODE_IO_ACCESSDENIED; + bool bCaughtException = false; Any aException; try commit ab0bc0d7a68d0909a66820b59f2b7e4c46c2cf22 Author: László Németh <nem...@numbertext.org> AuthorDate: Thu Jun 6 14:25:32 2019 +0200 Commit: Michael Stahl <michael.st...@cib.de> CommitDate: Tue Jun 18 13:51:34 2019 +0200 sanitize LibreLogo calls Change-Id: Ie4d9858e5b4b3e55ab08416fb9338d2df34ee5e1 Reviewed-on: https://gerrit.libreoffice.org/73627 Tested-by: Jenkins Reviewed-by: László Németh <nem...@numbertext.org> (cherry picked from commit 1b63fa32bbd4a5b89d2ee3a53b28de4250c8dad3) diff --git a/librelogo/source/LibreLogo/LibreLogo.py b/librelogo/source/LibreLogo/LibreLogo.py index 96d2d131d32b..f501deec18d1 100644 --- a/librelogo/source/LibreLogo/LibreLogo.py +++ b/librelogo/source/LibreLogo/LibreLogo.py @@ -145,6 +145,7 @@ __LineStyle_DOTTED__ = 2 class __Doc__: def __init__(self, doc): self.doc = doc + self.secure = False try: self.drawpage = doc.DrawPage # Writer except: @@ -463,10 +464,58 @@ class LogoProgram(threading.Thread): self.code = code threading.Thread.__init__(self) + def secure(self): + # 0 = secure + if _.secure: + return 0 + + # 1 = forms, fields or embedded objects are forbidden + if _.doc.DrawPage.Forms.getCount() > 0 or _.doc.getTextFields().createEnumeration().hasMoreElements() or _.doc.getEmbeddedObjects().getCount() > 0: + return 1 + + # 2 = hyperlinks with script events + nodes = _.doc.Text.createEnumeration() + while nodes.hasMoreElements(): + node = nodes.nextElement() + if node.supportsService("com.sun.star.text.Paragraph"): + portions = node.createEnumeration() + while portions.hasMoreElements(): + portion = portions.nextElement() + if portion.PropertySetInfo.hasPropertyByName("HyperLinkEvents"): + events = portion.getPropertyValue("HyperLinkEvents") + for event in events.getElementNames(): + attributes = events.getByName(event) + for attribute in attributes: + if attribute.Name == "EventType" and attribute.Value == "Script": + return 2 + + # 2 = images with script events + images = _.doc.DrawPage.createEnumeration() + while images.hasMoreElements(): + image = images.nextElement() + try: + events = image.Events + for event in events.getElementNames(): + attributes = events.getByName(event) + for attribute in attributes: + if attribute.Name == "EventType" and attribute.Value == "Script": + return 2 + except: + pass + + _.secure = True + return 0 + def run(self): global __thread__ try: - exec(self.code) + # check document security + secid = self.secure() + if secid > 0: + parent = _.doc.CurrentController.Frame.ContainerWindow + MessageBox(parent, "Document objects with%s script events" % [" possible", ""][secid-1], "LibreLogo program can't start", "errorbox") + else: + exec(self.code) if _.origcursor[0] and _.origcursor[1]: __dispatcher__(".uno:Escape") try: commit 12509149410c12572bbbdbdab8cc7769d5444a50 Author: Caolán McNamara <caol...@redhat.com> AuthorDate: Tue Jun 26 11:58:30 2018 +0100 Commit: Michael Stahl <michael.st...@cib.de> CommitDate: Tue May 7 18:16:14 2019 +0200 forcepoint#47 bail when we detect the emf is broken Change-Id: I065635393763af774b45cbba6bd85c4334383b93 Reviewed-on: https://gerrit.libreoffice.org/56458 Tested-by: Jenkins Reviewed-by: Michael Stahl <michael.st...@cib.de> diff --git a/cppcanvas/source/mtfrenderer/emfplus.cxx b/cppcanvas/source/mtfrenderer/emfplus.cxx index 1da733bd9f73..57c19f031285 100644 --- a/cppcanvas/source/mtfrenderer/emfplus.cxx +++ b/cppcanvas/source/mtfrenderer/emfplus.cxx @@ -876,11 +876,14 @@ namespace cppcanvas if (size < 12) { SAL_INFO("cppcanvas.emf", "Size field is less than 12 bytes"); + break; } else if (size > length) { SAL_INFO("cppcanvas.emf", "Size field is greater than bytes left"); + break; } if (dataSize > (size-12)) { SAL_INFO("cppcanvas.emf", "DataSize field is greater than Size-12"); + break; } SAL_INFO("cppcanvas.emf", "EMF+ record size: " << size << " type: " << emfTypeToName(type) << " flags: " << flags << " data size: " << dataSize); _______________________________________________ Libreoffice-commits mailing list libreoffice-comm...@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits