CVE-2022-3140: check IFrame "FrameURL" target

similiar to

commit b3edf85e0fe6ca03dc26e1bf531be82193bc9627
Date:   Wed Aug 7 17:37:11 2019 +0100

    warn on load when a document binds an event to a macro

Change-Id: Iea888b1c083d2dc69ec322309ac9ae8c5e5eb315
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/139059
Tested-by: Jenkins
Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
Conflicts:
	sfx2/source/doc/iframe.cxx
	sw/source/filter/html/htmlplug.cxx
	sw/source/filter/xml/xmltexti.cxx
bug-debian-security: https://deb.freexian.com/extended-lts/tracker/CVE-2022-3140
bug: https://deb.freexian.com/extended-lts/tracker/CVE-2022-3140

Gbp-Pq: Name 0072-CVE-2022-3140-check-IFrame-FrameURL-target.patch

diff --git a/sfx2/source/appl/macroloader.cxx b/sfx2/source/appl/macroloader.cxx
index a910138908fde180220661430a9b551ffc357c38..113a852411156d5a80924b1ac4dbbea890739450 100644 (file)
--- a/sfx2/source/appl/macroloader.cxx
+++ b/sfx2/source/appl/macroloader.cxx
@@ -73,10 +73,10 @@ css::uno::Sequence<OUString> SAL_CALL SfxMacroLoader::getSupportedServiceNames()
     return aSeq;
 }
 
-SfxObjectShell* SfxMacroLoader::GetObjectShell_Impl()
+SfxObjectShell* SfxMacroLoader::GetObjectShell(const Reference <XFrame>& xFrame)
 {
     SfxObjectShell* pDocShell = nullptr;
-    Reference < XFrame > xFrame( m_xFrame.get(), UNO_QUERY );
+
     if ( xFrame.is() )
     {
         SfxFrame* pFrame=nullptr;
@@ -93,6 +93,11 @@ SfxObjectShell* SfxMacroLoader::GetObjectShell_Impl()
     return pDocShell;
 }
 
+SfxObjectShell* SfxMacroLoader::GetObjectShell_Impl()
+{
+    Reference < XFrame > xFrame( m_xFrame.get(), UNO_QUERY );
+    return SfxMacroLoader::GetObjectShell(xFrame);
+}
 
 uno::Reference<frame::XDispatch> SAL_CALL SfxMacroLoader::queryDispatch(
     const util::URL&   aURL            ,

diff --git a/sfx2/source/doc/iframe.cxx b/sfx2/source/doc/iframe.cxx
index 7d7fdb02ad9881c86c2c46a590ef708d9623f03c..f1e03e7898a2e0c29bf3d11d8e401943dc060a52 100644 (file)
--- a/sfx2/source/doc/iframe.cxx
+++ b/sfx2/source/doc/iframe.cxx
@@ -39,10 +39,12 @@
 #include <svl/ownlist.hxx>
 #include <svl/itemprop.hxx>
 #include <sfx2/frmdescr.hxx>
+#include <sfx2/objsh.hxx>
 #include <sfx2/sfxdlg.hxx>
 #include <sfx2/sfxsids.hrc>
 #include <toolkit/helper/vclunohelper.hxx>
 #include <vcl/window.hxx>
+#include <macroloader.hxx>
 
 using namespace ::com::sun::star;
 
@@ -158,6 +160,19 @@ sal_Bool SAL_CALL IFrameObject::load(
 {
     if ( SvtMiscOptions().IsPluginsEnabled() )
     {
+        util::URL aTargetURL;
+        aTargetURL.Complete = maFrmDescr.GetURL().GetMainURL( INetURLObject::DecodeMechanism::NONE );
+        uno::Reference < util::XURLTransformer > xTrans( util::URLTransformer::create( mxContext ) );
+        xTrans->parseStrict( aTargetURL );
+
+        if (INetURLObject(aTargetURL.Complete).GetProtocol() == INetProtocol::Macro)
+        {
+            uno::Reference<frame::XFramesSupplier> xParentFrame = xFrame->getCreator();
+            SfxObjectShell* pDoc = SfxMacroLoader::GetObjectShell(xParentFrame);
+            if (pDoc && !pDoc->AdjustMacroMode())
+                return false;
+        }
+
         DBG_ASSERT( !mxFrame.is(), "Frame already existing!" );
         VclPtr<vcl::Window> pParent = VCLUnoHelper::GetWindow( xFrame->getContainerWindow() );
         VclPtr<IFrameWindow_Impl> pWin = VclPtr<IFrameWindow_Impl>::Create( pParent, maFrmDescr.IsFrameBorderOn() );
@@ -180,11 +195,6 @@ sal_Bool SAL_CALL IFrameObject::load(
         if ( xFramesSupplier.is() )
             mxFrame->setCreator( xFramesSupplier );
 
-        util::URL aTargetURL;
-        aTargetURL.Complete = maFrmDescr.GetURL().GetMainURL( INetURLObject::DecodeMechanism::NONE );
-        uno::Reference < util::XURLTransformer > xTrans( util::URLTransformer::create( mxContext ) );
-        xTrans->parseStrict( aTargetURL );
-
         uno::Sequence < beans::PropertyValue > aProps(2);
         aProps[0].Name = "PluginMode";
         aProps[0].Value <<= sal_Int16(2);

diff --git a/sfx2/source/inc/macroloader.hxx b/sfx2/source/inc/macroloader.hxx
index 94fa5165fdd9f4b634eccfb070bbfb4b943c60ec..e2d5f8fd76c488e18888ae1f36d7a2dea9e78ec8 100644 (file)
--- a/sfx2/source/inc/macroloader.hxx
+++ b/sfx2/source/inc/macroloader.hxx
@@ -81,6 +81,8 @@ public:
     virtual void SAL_CALL addStatusListener( const css::uno::Reference< css::frame::XStatusListener >& xControl, const css::util::URL& aURL ) override;
 
     virtual void SAL_CALL removeStatusListener( const css::uno::Reference< css::frame::XStatusListener >& xControl, const css::util::URL& aURL ) override;
+
+    static SfxObjectShell* GetObjectShell(const css::uno::Reference<css::frame::XFrame>& xFrame);
 };
 
 #endif

diff --git a/sw/source/filter/html/htmlplug.cxx b/sw/source/filter/html/htmlplug.cxx
index 19ef7252094a3434edb2a96215a8e29ffd692a77..955eeab36ee9514f893fdc497a78c698c69c52f1 100644 (file)
--- a/sw/source/filter/html/htmlplug.cxx
+++ b/sw/source/filter/html/htmlplug.cxx
@@ -1006,7 +1006,12 @@ void SwHTMLParser::InsertFloatingFrame()
                 bool bHasBorder = aFrameDesc.HasFrameBorder();
                 Size aMargin = aFrameDesc.GetMargin();
 
-                xSet->setPropertyValue("FrameURL", uno::makeAny( aFrameDesc.GetURL().GetMainURL( INetURLObject::DecodeMechanism::NONE ) ) );
+                OUString sHRef = aFrameDesc.GetURL().GetMainURL( INetURLObject::DecodeMechanism::NONE );
+
+                if (INetURLObject(sHRef).GetProtocol() == INetProtocol::Macro)
+                    NotifyMacroEventRead();
+
+                xSet->setPropertyValue("FrameURL", uno::makeAny( sHRef ) );
                 xSet->setPropertyValue("FrameName", uno::makeAny( aName ) );
 
                 if ( eScroll == ScrollingMode::Auto )

diff --git a/sw/source/filter/xml/xmltexti.cxx b/sw/source/filter/xml/xmltexti.cxx
index 0cbf9fd85677e2d06f9674c9e87248a174b48430..8366f0ae38045a9d460d169f1a6e2dbda0607525 100644 (file)
--- a/sw/source/filter/xml/xmltexti.cxx
+++ b/sw/source/filter/xml/xmltexti.cxx
@@ -854,9 +854,14 @@ uno::Reference< XPropertySet > SwXMLTextImportHelper::createAndInsertFloatingFra
             uno::Reference < beans::XPropertySet > xSet( xObj->getComponent(), uno::UNO_QUERY );
             if ( xSet.is() )
             {
+                OUString sHRef = URIHelper::SmartRel2Abs(
+                            INetURLObject( GetXMLImport().GetBaseURL() ), rHRef );
+
+                if (INetURLObject(sHRef).GetProtocol() == INetProtocol::Macro)
+                    GetXMLImport().NotifyMacroEventRead();
+
                 xSet->setPropertyValue("FrameURL",
-                    makeAny( URIHelper::SmartRel2Abs(
-                            INetURLObject( GetXMLImport().GetBaseURL() ), rHRef ) ) );
+                    makeAny( sHRef ) );
 
                 xSet->setPropertyValue("FrameName",
                     makeAny( rName ) );