This is an automated email from the ASF dual-hosted git repository. mseidel pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/openoffice.git
commit b0db9b13b986beb6c1237d3c2a86d7d1a3d568b2 Author: cbmarcum <[email protected]> AuthorDate: Thu Apr 8 11:37:59 2021 -0400 added help filetype to whitelist. \nPatch by: Arrigo Marchiori (ardovm) and Carl Marcum (cmarcum) (cherry picked from commit aa358bfc895091e0ee5382ad1d25e5d51261463b) --- .../data/org/openoffice/Office/Security.xcu | 5 ++ main/sfx2/source/appl/appopen.cxx | 72 +++++++++++++--------- 2 files changed, 49 insertions(+), 28 deletions(-) diff --git a/main/officecfg/registry/data/org/openoffice/Office/Security.xcu b/main/officecfg/registry/data/org/openoffice/Office/Security.xcu index 5e8a5bd..67021a9 100644 --- a/main/officecfg/registry/data/org/openoffice/Office/Security.xcu +++ b/main/officecfg/registry/data/org/openoffice/Office/Security.xcu @@ -464,6 +464,11 @@ <value>qt</value> </prop> </node> + <node oor:name="m89" oor:op="replace"> + <prop oor:name="Extension" oor:type="xs:string"> + <value>xhp</value> + </prop> + </node> </node> <node oor:name="Hyperlinks"> <prop oor:name="Open" oor:type="xs:int"> diff --git a/main/sfx2/source/appl/appopen.cxx b/main/sfx2/source/appl/appopen.cxx index e0799fd..873a302 100644 --- a/main/sfx2/source/appl/appopen.cxx +++ b/main/sfx2/source/appl/appopen.cxx @@ -926,42 +926,58 @@ void SfxApplication::OpenDocExec_Impl( SfxRequest& rReq ) Reference < XURLTransformer > xTrans( ::comphelper::getProcessServiceFactory()->createInstance( ::rtl::OUString::createFromAscii("com.sun.star.util.URLTransformer" )), UNO_QUERY ); xTrans->parseStrict( aURL ); - - INetProtocol aINetProtocol = INetURLObject( aURL.Complete ).GetProtocol(); + INetURLObject aINetURLObject(aURL.Complete); + INetProtocol aINetProtocol = aINetURLObject.GetProtocol(); SvtExtendedSecurityOptions aExtendedSecurityOptions; SvtExtendedSecurityOptions::OpenHyperlinkMode eMode = aExtendedSecurityOptions.GetOpenHyperlinkMode(); if ( eMode == SvtExtendedSecurityOptions::OPEN_WITHSECURITYCHECK ) { - if ( aINetProtocol == INET_PROT_FILE ) - { -/*!!! pb: #i49802# no security warning any longer - // Check if file URL is a directory. This is not insecure! - osl::Directory aDir( aURL.Main ); - sal_Bool bIsDir = ( aDir.open() == osl::Directory::E_None ); - - if ( !bIsDir && !aExtendedSecurityOptions.IsSecureHyperlink( aURL.Complete ) ) - { - // Security check for local files depending on the extension - vos::OGuard aGuard( Application::GetSolarMutex() ); - Window *pWindow = SFX_APP()->GetTopWindow(); + /*!!! pb: #i49802# no security warning any longer + ardovm: Restored security checks in March 2021 */ + // Check if file URL is a directory. This is not insecure! + sal_Bool bIsDir = aINetURLObject.hasFinalSlash() || + ( osl::Directory(aURL.Main).open() == + osl::Directory::E_None ); + // Use SvtExtendedSecurityOptions::IsSecureHyperlink() + // to check the extension of the link destination. + sal_Bool bSafeExtension = aExtendedSecurityOptions.IsSecureHyperlink(aURL.Complete); + // We consider some protocols unsafe + sal_Bool bUnsafeProtocol; + switch (aINetProtocol) { + // case INET_PROT_FTP: + case INET_PROT_VND_SUN_STAR_HELP: + case INET_PROT_HTTP: + case INET_PROT_HTTPS: + case INET_PROT_MAILTO: + bUnsafeProtocol = false; + break; + default: // Anything else, including INET_PROT_FILE + bUnsafeProtocol = true; + break; + } + if ( (!bIsDir && !bSafeExtension) || bUnsafeProtocol ) + { + // Security check for local files depending on the extension + vos::OGuard aGuard( Application::GetSolarMutex() ); + Window *pWindow = SFX_APP()->GetTopWindow(); - String aSecurityWarningBoxTitle( SfxResId( RID_SECURITY_WARNING_TITLE )); - WarningBox aSecurityWarningBox( pWindow, SfxResId( RID_SECURITY_WARNING_HYPERLINK )); - aSecurityWarningBox.SetText( aSecurityWarningBoxTitle ); + String aSecurityWarningBoxTitle( SfxResId( RID_SECURITY_WARNING_TITLE )); + WarningBox aSecurityWarningBox( pWindow, SfxResId( RID_SECURITY_WARNING_HYPERLINK )); + aSecurityWarningBox.SetText( aSecurityWarningBoxTitle ); - // Replace %s with the real file name - String aMsgText = aSecurityWarningBox.GetMessText(); - String aMainURL( aURL.Main ); - String aFileName; + // Replace %s with the real file name + String aMsgText = aSecurityWarningBox.GetMessText(); + String aMainURL( aURL.Main ); + String aFileNameInMsg; - utl::LocalFileHelper::ConvertURLToPhysicalName( aMainURL, aFileName ); - aMsgText.SearchAndReplaceAscii( "%s", aFileName ); - aSecurityWarningBox.SetMessText( aMsgText ); + if (!utl::LocalFileHelper::ConvertURLToPhysicalName( aMainURL, aFileNameInMsg )) { + aFileNameInMsg = aMainURL; + } + aMsgText.SearchAndReplaceAscii( "%s", aFileNameInMsg ); + aSecurityWarningBox.SetMessText( aMsgText ); - if( aSecurityWarningBox.Execute() == RET_NO ) - return; - } -*/ + if( aSecurityWarningBox.Execute() == RET_NO ) + return; } } else if ( eMode == SvtExtendedSecurityOptions::OPEN_NEVER && aINetProtocol != INET_PROT_VND_SUN_STAR_HELP )
