From: Caolán McNamara <caolanm@redhat.com>
Date: Tue, 11 Apr 2023 09:13:37 +0000 (+0100)
Subject: [1/3] CVE-2023-2255 set Referer on loading IFrames
X-Git-Tag: archive/raspbian/1%6.1.5-3+rpi1+deb10u10^2~4
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=31e25cc6f7df9eb74c94d5d8d1b95b845cac22bd;p=libreoffice.git

[1/3] CVE-2023-2255 set Referer on loading IFrames

so tools, options, security, options,
"block any links from document not..."
applies to their contents.

Change-Id: I04839aea6b07a4a76ac147a85045939ccd9c3c79
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/150221
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/150751
Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
(cherry picked from commit acff9ca0579333b45d10ae5f8cd48172f563dddd)
(cherry picked from commit 04c8176fb40d2eb983aa0bd0a6ce65804d3f6ecd)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/152096
Tested-by: Caolán McNamara <caolan.mcnamara@collabora.com>
Reviewed-by: Caolán McNamara <caolan.mcnamara@collabora.com>
bug: https://www.libreoffice.org/about-us/security/advisories/cve-2023-2255/
bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2023-2255

Gbp-Pq: Name 0077-1-3-CVE-2023-2255-set-Referer-on-loading-IFrames.patch
---

diff --git a/sfx2/source/doc/iframe.cxx b/sfx2/source/doc/iframe.cxx
index f1e03e7898a..dc0c023d87e 100644
--- a/sfx2/source/doc/iframe.cxx
+++ b/sfx2/source/doc/iframe.cxx
@@ -32,12 +32,14 @@
 #include <com/sun/star/ui/dialogs/XExecutableDialog.hpp>
 #include <com/sun/star/embed/XEmbeddedObject.hpp>
 
+#include <comphelper/propertyvalue.hxx>
 #include <cppuhelper/implbase.hxx>
 #include <cppuhelper/supportsservice.hxx>
 #include <rtl/ref.hxx>
 #include <svtools/miscopt.hxx>
 #include <svl/ownlist.hxx>
 #include <svl/itemprop.hxx>
+#include <sfx2/docfile.hxx>
 #include <sfx2/frmdescr.hxx>
 #include <sfx2/objsh.hxx>
 #include <sfx2/sfxdlg.hxx>
@@ -165,14 +167,19 @@ sal_Bool SAL_CALL IFrameObject::load(
         uno::Reference < util::XURLTransformer > xTrans( util::URLTransformer::create( mxContext ) );
         xTrans->parseStrict( aTargetURL );
 
+        uno::Reference<frame::XFramesSupplier> xParentFrame = xFrame->getCreator();
+        SfxObjectShell* pDoc = SfxMacroLoader::GetObjectShell(xParentFrame);
+
         if (INetURLObject(aTargetURL.Complete).GetProtocol() == INetProtocol::Macro)
         {
-            uno::Reference<frame::XFramesSupplier> xParentFrame = xFrame->getCreator();
-            SfxObjectShell* pDoc = SfxMacroLoader::GetObjectShell(xParentFrame);
             if (pDoc && !pDoc->AdjustMacroMode())
                 return false;
         }
 
+        OUString sReferer;
+        if (pDoc && pDoc->HasName())
+            sReferer = pDoc->GetMedium()->GetName();
+
         DBG_ASSERT( !mxFrame.is(), "Frame already existing!" );
         VclPtr<vcl::Window> pParent = VCLUnoHelper::GetWindow( xFrame->getContainerWindow() );
         VclPtr<IFrameWindow_Impl> pWin = VclPtr<IFrameWindow_Impl>::Create( pParent, maFrmDescr.IsFrameBorderOn() );
@@ -195,11 +202,11 @@ sal_Bool SAL_CALL IFrameObject::load(
         if ( xFramesSupplier.is() )
             mxFrame->setCreator( xFramesSupplier );
 
-        uno::Sequence < beans::PropertyValue > aProps(2);
-        aProps[0].Name = "PluginMode";
-        aProps[0].Value <<= sal_Int16(2);
-        aProps[1].Name = "ReadOnly";
-        aProps[1].Value <<= true;
+        uno::Sequence < beans::PropertyValue > aProps{
+            comphelper::makePropertyValue("PluginMode", sal_Int16(2)),
+            comphelper::makePropertyValue("ReadOnly", true),
+            comphelper::makePropertyValue("Referer", sReferer)
+        };
         uno::Reference < frame::XDispatch > xDisp = mxFrame->queryDispatch( aTargetURL, "_self", 0 );
         if ( xDisp.is() )
             xDisp->dispatch( aTargetURL, aProps );