From: Stephan Bergmann <sbergman@redhat.com>
Date: Tue, 6 Aug 2019 11:29:22 +0000 (+0200)
Subject: Properly obtain location
X-Git-Tag: archive/raspbian/1%5.2.7-1+rpi1+deb9u10^2~1
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=965c995fd6d1c44b30eeb1c6c2eaee97fef1467e;p=libreoffice.git

Properly obtain location

Change-Id: I9fb0d883a3623394343cd54ef61e5610544198c8
Reviewed-on: https://gerrit.libreoffice.org/77019
Tested-by: Jenkins
Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
(cherry picked from commit a9cde2557242a0c343d99533f3ee032599c66f42)
Reviewed-on: https://gerrit.libreoffice.org/77022
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Reviewed-by: Christian Lohmaier <lohmaier+LibreOffice@googlemail.com>
Tested-by: Christian Lohmaier <lohmaier+LibreOffice@googlemail.com>

Gbp-Pq: Name Properly-obtain-location.diff
---

diff --git a/scripting/source/protocolhandler/scripthandler.cxx b/scripting/source/protocolhandler/scripthandler.cxx
index 85573b51a5c..8577fd00cd7 100644
--- a/scripting/source/protocolhandler/scripthandler.cxx
+++ b/scripting/source/protocolhandler/scripthandler.cxx
@@ -49,6 +49,7 @@
 
 #include "com/sun/star/uno/XComponentContext.hpp"
 #include "com/sun/star/uri/XUriReference.hpp"
+#include "com/sun/star/uri/XVndSunStarScriptUrlReference.hpp"
 #include "com/sun/star/uri/UriReferenceFactory.hpp"
 #include "com/sun/star/uri/XVndSunStarScriptUrl.hpp"
 
@@ -146,8 +147,12 @@ void SAL_CALL ScriptProtocolHandler::dispatchWithNotification(
     {
         try
         {
-            bool bIsDocumentScript = ( aURL.Complete.indexOf( "document" ) !=-1 );
-                // TODO: isn't this somewhat strange? This should be a test for a location=document parameter, shouldn't it?
+            css::uno::Reference<css::uri::XUriReferenceFactory> urifac(
+                css::uri::UriReferenceFactory::create(m_xContext));
+            css::uno::Reference<css::uri::XVndSunStarScriptUrlReference> uri(
+                urifac->parse(aURL.Complete), css::uno::UNO_QUERY_THROW);
+            auto const loc = uri->getParameter("location");
+            bool bIsDocumentScript = loc == "document";
 
             if ( bIsDocumentScript )
             {
diff --git a/sfx2/source/doc/objmisc.cxx b/sfx2/source/doc/objmisc.cxx
index d500ce76211..336a56c307e 100644
--- a/sfx2/source/doc/objmisc.cxx
+++ b/sfx2/source/doc/objmisc.cxx
@@ -1500,19 +1500,22 @@ ErrCode SfxObjectShell::CallXScript( const Reference< XInterface >& _rxScriptCon
     OSL_TRACE( "in CallXScript" );
     ErrCode nErr = ERRCODE_NONE;
 
-    bool bIsDocumentScript = ( _rScriptURL.indexOf( "location=document" ) >= 0 );
-        // TODO: we should parse the URL, and check whether there is a parameter with this name.
-        // Otherwise, we might find too much.
-    if ( bIsDocumentScript && !lcl_isScriptAccessAllowed_nothrow( _rxScriptContext ) )
-        return ERRCODE_IO_ACCESSDENIED;
-
-    if ( UnTrustedScript(_rScriptURL) )
-        return ERRCODE_IO_ACCESSDENIED;
-
     bool bCaughtException = false;
     Any aException;
     try
     {
+        css::uno::Reference<css::uri::XUriReferenceFactory> urifac(
+            css::uri::UriReferenceFactory::create(comphelper::getProcessComponentContext()));
+        css::uno::Reference<css::uri::XVndSunStarScriptUrlReference> uri(
+            urifac->parse(_rScriptURL), css::uno::UNO_QUERY_THROW);
+        auto const loc = uri->getParameter("location");
+        bool bIsDocumentScript = loc == "document";
+        if ( bIsDocumentScript && !lcl_isScriptAccessAllowed_nothrow( _rxScriptContext ) )
+            return ERRCODE_IO_ACCESSDENIED;
+
+        if ( UnTrustedScript(_rScriptURL) )
+            return ERRCODE_IO_ACCESSDENIED;
+
         // obtain/create a script provider
         Reference< provider::XScriptProvider > xScriptProvider;
         Reference< provider::XScriptProviderSupplier > xSPS( _rxScriptContext, UNO_QUERY );