CVE-2020-12803 limit forms to http[s]

Reviewed-on: https://gerrit.libreoffice.org/c/core/+/93993
Tested-by: Jenkins
Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
(cherry picked from commit 5d101a65c31e6c2f8dd0edffe05f69055cbd481c)

Conflicts:
	forms/source/xforms/submission.cxx

Change-Id: I3ed0bc626f693ec03f610dc7361f93cad914c9d8

origin: https://github.com/LibreOffice/core/commit/ddd7a2f43634bb3e2b2a1978bcf09d8f3fd27bab.patch

Gbp-Pq: Name 0097-CVE-2020-12803-limit-forms-to-http-s.patch

diff --git a/forms/source/xforms/submission.cxx b/forms/source/xforms/submission.cxx
index 3757378c663d5c06ad58c8443cb378714f6ca2a5..81cc0563d390be36850223af74e7c41e88d8a035 100644 (file)
--- a/forms/source/xforms/submission.cxx
+++ b/forms/source/xforms/submission.cxx
@@ -255,6 +255,9 @@ bool Submission::doSubmit( const Reference< XInteractionHandler >& xHandler )
     }
 
     xSubmission->setEncoding(getEncoding());
+    if (!xSubmission->IsWebProtocol())
+        return false;
+
     CSubmission::SubmissionResult aResult = xSubmission->submit( xHandler );
 
     if (aResult == CSubmission::SUCCESS)

diff --git a/forms/source/xforms/submission/submission.hxx b/forms/source/xforms/submission/submission.hxx
index 7d726392c7367e351694980c77c69d13dbdf875e..f93146d5923e01a35de020bc16b358fb444c8266 100644 (file)
--- a/forms/source/xforms/submission/submission.hxx
+++ b/forms/source/xforms/submission/submission.hxx
@@ -127,6 +127,12 @@ public:
         , m_xContext(::comphelper::getProcessComponentContext())
     {}
 
+    bool IsWebProtocol() const
+    {
+        INetProtocol eProtocol = m_aURLObj.GetProtocol();
+        return eProtocol == INetProtocol::Http || eProtocol == INetProtocol::Https;
+    }
+
     virtual ~CSubmission() {}
 
     void setEncoding(const OUString& aEncoding)