#include <comphelper/property.hxx>
#include <comphelper/types.hxx>
#include <cppuhelper/queryinterface.hxx>
+#include <unotools/securityoptions.hxx>
#include <unotools/ucbstreamhelper.hxx>
#include <svl/urihelper.hxx>
bool OImageControlModel::impl_updateStreamForURL_lck( const OUString& _rURL, ValueChangeInstigator _eInstigator )
{
+ OUString referer;
+ getPropertyValue("Referer") >>= referer;
+ if (SvtSecurityOptions().isUntrustedReferer(referer)) {
+ return false;
+ }
+
// create a stream for the image specified by the URL
std::unique_ptr< SvStream > pImageStream;
Reference< XInputStream > xImageStream;
#include <comphelper/types.hxx>
#include <cppuhelper/exc_hlp.hxx>
#include <svtools/imageresourceaccess.hxx>
+#include <unotools/securityoptions.hxx>
#define LOCAL_URL_PREFIX '#'
m_bProdStarted = false;
- // Kick off download (caution: can be synchronous).
- m_pMedium->Download(LINK(this, OClickableImageBaseModel, DownloadDoneLink));
+ OUString referer;
+ getPropertyValue("Referer") >>= referer;
+ if (!SvtSecurityOptions().isUntrustedReferer(referer)) {
+ // Kick off download (caution: can be synchronous).
+ m_pMedium->Download(LINK(this, OClickableImageBaseModel, DownloadDoneLink));
+ }
}
else
{
// appropriately ( e.g. NULL if non GraphicObject scheme ) or a valid
// object if the rURL points to a valid object
static css::uno::Reference< css::graphic::XGraphic > getGraphicAndGraphicObjectFromURL_nothrow( css::uno::Reference< css::graphic::XGraphicObject >& xOutGraphicObject, const OUString& _rURL );
- static css::uno::Reference< css::graphic::XGraphic > getGraphicFromURL_nothrow( const OUString& _rURL );
+ static css::uno::Reference< css::graphic::XGraphic > getGraphicFromURL_nothrow( const OUString& _rURL, OUString const & referer );
};
#define BASEPROPERTY_ACTIVE_SEL_TEXT_COLOR 167
#define BASEPROPERTY_INACTIVE_SEL_TEXT_COLOR 168
#define BASEPROPERTY_TYPEDITEMLIST 169 // AnySequence
+#define BASEPROPERTY_REFERER 172
// These properties are not bound, they are always extracted from the BASEPROPERTY_FONTDESCRIPTOR property
( !aImageURL.isEmpty() ))
{
OUString absoluteUrl = getPhysicalLocation(ImplGetPropertyValue(PROPERTY_DIALOGSOURCEURL), uno::makeAny(aImageURL));
- xGraphic = ImageHelper::getGraphicFromURL_nothrow( absoluteUrl );
+ xGraphic = ImageHelper::getGraphicFromURL_nothrow( absoluteUrl, "" );
ImplSetPropertyValue( PROPERTY_GRAPHIC, uno::makeAny( xGraphic ), true );
}
}
( !aImageURL.isEmpty() ))
{
OUString absoluteUrl = getPhysicalLocation(ImplGetPropertyValue(GetPropertyName(BASEPROPERTY_DIALOGSOURCEURL)), uno::makeAny(aImageURL));
- xGraphic = ImageHelper::getGraphicFromURL_nothrow( absoluteUrl );
+ xGraphic = ImageHelper::getGraphicFromURL_nothrow( absoluteUrl, "" );
}
ImplSetPropertyValue( GetPropertyName( BASEPROPERTY_GRAPHIC), uno::makeAny( xGraphic ), true );
break;
#include <toolkit/helper/property.hxx>
#include <helper/servicenames.hxx>
#include <toolkit/helper/macros.hxx>
+#include <unotools/securityoptions.hxx>
// for introspection
#include <toolkit/awt/vclxwindows.hxx>
ImageHelper::getGraphicAndGraphicObjectFromURL_nothrow( uno::Reference< graphic::XGraphicObject >& xOutGraphicObj, const OUString& _rURL )
{
xOutGraphicObj = nullptr;
- return ImageHelper::getGraphicFromURL_nothrow( _rURL );
+ return ImageHelper::getGraphicFromURL_nothrow( _rURL, "" );
}
css::uno::Reference< css::graphic::XGraphic >
-ImageHelper::getGraphicFromURL_nothrow( const OUString& _rURL )
+ImageHelper::getGraphicFromURL_nothrow( const OUString& _rURL, OUString const & referer )
{
uno::Reference< graphic::XGraphic > xGraphic;
- if ( _rURL.isEmpty() )
+ if ( _rURL.isEmpty() || SvtSecurityOptions().isUntrustedReferer(referer) )
return xGraphic;
try
mbAdjustingGraphic = true;
OUString sImageURL;
OSL_VERIFY( rValue >>= sImageURL );
- setDependentFastPropertyValue( BASEPROPERTY_GRAPHIC, uno::makeAny( ImageHelper::getGraphicFromURL_nothrow( sImageURL ) ) );
+ css::uno::Any any;
+ getFastPropertyValue(any, BASEPROPERTY_REFERER);
+ OUString referer;
+ any >>= referer;
+ setDependentFastPropertyValue( BASEPROPERTY_GRAPHIC, uno::makeAny( ImageHelper::getGraphicFromURL_nothrow( sImageURL, referer ) ) );
mbAdjustingGraphic = false;
}
break;
DECL_PROP_3 ( "InactiveSelectionBackgroundColor", INACTIVE_SEL_BACKGROUND_COLOR, sal_Int32, BOUND, MAYBEDEFAULT, MAYBEVOID ),
DECL_PROP_3 ( "ActiveSelectionTextColor", ACTIVE_SEL_TEXT_COLOR, sal_Int32, BOUND, MAYBEDEFAULT, MAYBEVOID ),
DECL_PROP_3 ( "InactiveSelectionTextColor", INACTIVE_SEL_TEXT_COLOR, sal_Int32, BOUND, MAYBEDEFAULT, MAYBEVOID ),
+
+ DECL_PROP_2("Referer", REFERER, OUString, BOUND, MAYBEVOID),
};
rElementCount = SAL_N_ELEMENTS(aImplPropertyInfos);
return aImplPropertyInfos;
OSL_ENSURE(xPure.is(),
OStringBuffer("OElementImport::createElement: service factory gave me no object (service name: ").append(OUStringToOString(m_sServiceName, RTL_TEXTENCODING_ASCII_US)).append(")!").getStr());
xReturn.set(xPure, UNO_QUERY);
+ if (auto const props = Reference<css::beans::XPropertySet>(xPure, css::uno::UNO_QUERY))
+ {
+ try {
+ props->setPropertyValue(
+ "Referer", css::uno::Any(m_rFormImport.getGlobalContext().GetBaseURL()));
+ } catch (css::uno::Exception &) {
+ TOOLS_INFO_EXCEPTION("xmloff.forms", "setPropertyValue Referer failed");
+ }
+ }
}
else
OSL_FAIL("OElementImport::createElement: no service name to create an element!");
projects / libreoffice.git / commitdiff