From: Caolán McNamara Date: Tue, 30 Aug 2022 16:01:08 +0000 (+0100) Subject: CVE-2022-3140: check IFrame "FrameURL" target X-Git-Tag: archive/raspbian/1%6.1.5-3+rpi1+deb10u11^2~26 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=52290fc71c2d8428ed38e681e6dd726d5616d3cd;p=libreoffice.git CVE-2022-3140: check IFrame "FrameURL" target similiar to commit b3edf85e0fe6ca03dc26e1bf531be82193bc9627 Date: Wed Aug 7 17:37:11 2019 +0100 warn on load when a document binds an event to a macro Change-Id: Iea888b1c083d2dc69ec322309ac9ae8c5e5eb315 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/139059 Tested-by: Jenkins Reviewed-by: Stephan Bergmann Conflicts: sfx2/source/doc/iframe.cxx sw/source/filter/html/htmlplug.cxx sw/source/filter/xml/xmltexti.cxx bug-debian-security: https://deb.freexian.com/extended-lts/tracker/CVE-2022-3140 bug: https://deb.freexian.com/extended-lts/tracker/CVE-2022-3140 Gbp-Pq: Name 0072-CVE-2022-3140-check-IFrame-FrameURL-target.patch --- diff --git a/sfx2/source/appl/macroloader.cxx b/sfx2/source/appl/macroloader.cxx index a910138908f..113a8524111 100644 --- a/sfx2/source/appl/macroloader.cxx +++ b/sfx2/source/appl/macroloader.cxx @@ -73,10 +73,10 @@ css::uno::Sequence SAL_CALL SfxMacroLoader::getSupportedServiceNames() return aSeq; } -SfxObjectShell* SfxMacroLoader::GetObjectShell_Impl() +SfxObjectShell* SfxMacroLoader::GetObjectShell(const Reference & xFrame) { SfxObjectShell* pDocShell = nullptr; - Reference < XFrame > xFrame( m_xFrame.get(), UNO_QUERY ); + if ( xFrame.is() ) { SfxFrame* pFrame=nullptr; @@ -93,6 +93,11 @@ SfxObjectShell* SfxMacroLoader::GetObjectShell_Impl() return pDocShell; } +SfxObjectShell* SfxMacroLoader::GetObjectShell_Impl() +{ + Reference < XFrame > xFrame( m_xFrame.get(), UNO_QUERY ); + return SfxMacroLoader::GetObjectShell(xFrame); +} uno::Reference SAL_CALL SfxMacroLoader::queryDispatch( const util::URL& aURL , diff --git a/sfx2/source/doc/iframe.cxx b/sfx2/source/doc/iframe.cxx index 7d7fdb02ad9..f1e03e7898a 100644 --- a/sfx2/source/doc/iframe.cxx +++ b/sfx2/source/doc/iframe.cxx @@ -39,10 +39,12 @@ #include #include #include +#include #include #include #include #include +#include using namespace ::com::sun::star; @@ -158,6 +160,19 @@ sal_Bool SAL_CALL IFrameObject::load( { if ( SvtMiscOptions().IsPluginsEnabled() ) { + util::URL aTargetURL; + aTargetURL.Complete = maFrmDescr.GetURL().GetMainURL( INetURLObject::DecodeMechanism::NONE ); + uno::Reference < util::XURLTransformer > xTrans( util::URLTransformer::create( mxContext ) ); + xTrans->parseStrict( aTargetURL ); + + if (INetURLObject(aTargetURL.Complete).GetProtocol() == INetProtocol::Macro) + { + uno::Reference xParentFrame = xFrame->getCreator(); + SfxObjectShell* pDoc = SfxMacroLoader::GetObjectShell(xParentFrame); + if (pDoc && !pDoc->AdjustMacroMode()) + return false; + } + DBG_ASSERT( !mxFrame.is(), "Frame already existing!" ); VclPtr pParent = VCLUnoHelper::GetWindow( xFrame->getContainerWindow() ); VclPtr pWin = VclPtr::Create( pParent, maFrmDescr.IsFrameBorderOn() ); @@ -180,11 +195,6 @@ sal_Bool SAL_CALL IFrameObject::load( if ( xFramesSupplier.is() ) mxFrame->setCreator( xFramesSupplier ); - util::URL aTargetURL; - aTargetURL.Complete = maFrmDescr.GetURL().GetMainURL( INetURLObject::DecodeMechanism::NONE ); - uno::Reference < util::XURLTransformer > xTrans( util::URLTransformer::create( mxContext ) ); - xTrans->parseStrict( aTargetURL ); - uno::Sequence < beans::PropertyValue > aProps(2); aProps[0].Name = "PluginMode"; aProps[0].Value <<= sal_Int16(2); diff --git a/sfx2/source/inc/macroloader.hxx b/sfx2/source/inc/macroloader.hxx index 94fa5165fdd..e2d5f8fd76c 100644 --- a/sfx2/source/inc/macroloader.hxx +++ b/sfx2/source/inc/macroloader.hxx @@ -81,6 +81,8 @@ public: virtual void SAL_CALL addStatusListener( const css::uno::Reference< css::frame::XStatusListener >& xControl, const css::util::URL& aURL ) override; virtual void SAL_CALL removeStatusListener( const css::uno::Reference< css::frame::XStatusListener >& xControl, const css::util::URL& aURL ) override; + + static SfxObjectShell* GetObjectShell(const css::uno::Reference& xFrame); }; #endif diff --git a/sw/source/filter/html/htmlplug.cxx b/sw/source/filter/html/htmlplug.cxx index 19ef7252094..955eeab36ee 100644 --- a/sw/source/filter/html/htmlplug.cxx +++ b/sw/source/filter/html/htmlplug.cxx @@ -1006,7 +1006,12 @@ void SwHTMLParser::InsertFloatingFrame() bool bHasBorder = aFrameDesc.HasFrameBorder(); Size aMargin = aFrameDesc.GetMargin(); - xSet->setPropertyValue("FrameURL", uno::makeAny( aFrameDesc.GetURL().GetMainURL( INetURLObject::DecodeMechanism::NONE ) ) ); + OUString sHRef = aFrameDesc.GetURL().GetMainURL( INetURLObject::DecodeMechanism::NONE ); + + if (INetURLObject(sHRef).GetProtocol() == INetProtocol::Macro) + NotifyMacroEventRead(); + + xSet->setPropertyValue("FrameURL", uno::makeAny( sHRef ) ); xSet->setPropertyValue("FrameName", uno::makeAny( aName ) ); if ( eScroll == ScrollingMode::Auto ) diff --git a/sw/source/filter/xml/xmltexti.cxx b/sw/source/filter/xml/xmltexti.cxx index 0cbf9fd8567..8366f0ae380 100644 --- a/sw/source/filter/xml/xmltexti.cxx +++ b/sw/source/filter/xml/xmltexti.cxx @@ -854,9 +854,14 @@ uno::Reference< XPropertySet > SwXMLTextImportHelper::createAndInsertFloatingFra uno::Reference < beans::XPropertySet > xSet( xObj->getComponent(), uno::UNO_QUERY ); if ( xSet.is() ) { + OUString sHRef = URIHelper::SmartRel2Abs( + INetURLObject( GetXMLImport().GetBaseURL() ), rHRef ); + + if (INetURLObject(sHRef).GetProtocol() == INetProtocol::Macro) + GetXMLImport().NotifyMacroEventRead(); + xSet->setPropertyValue("FrameURL", - makeAny( URIHelper::SmartRel2Abs( - INetURLObject( GetXMLImport().GetBaseURL() ), rHRef ) ) ); + makeAny( sHRef ) ); xSet->setPropertyValue("FrameName", makeAny( rName ) );