From: Caolán McNamara <caolanm@redhat.com>
Date: Thu, 18 Oct 2018 19:39:23 +0000 (+0100)
Subject: keep pyuno script processing below base uri
X-Git-Tag: archive/raspbian/1%5.2.7-1+rpi1+deb9u9^2~6
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=dbc2d57efbb9fcbd25994a86c47a5f40142dceb3;p=libreoffice.git

keep pyuno script processing below base uri

Change-Id: Icc13fb7193fb1e7c50e0df286161a10b4ed636c7
Reviewed-on: https://gerrit.libreoffice.org/61969
Tested-by: Jenkins
Reviewed-by: Stephan Bergmann <sbergman@redhat.com>

Gbp-Pq: Name keep-pyuno-script-processing-below-base-uri.diff
---

diff --git a/scripting/source/pyprov/pythonscript.py b/scripting/source/pyprov/pythonscript.py
index a2fc4f055a1..9609b6d9464 100644
--- a/scripting/source/pyprov/pythonscript.py
+++ b/scripting/source/pyprov/pythonscript.py
@@ -24,6 +24,7 @@ import imp
 import time
 import ast
 import platform
+from com.sun.star.uri.RelativeUriExcessParentSegments import RETAIN
 
 try:
     unicode
@@ -211,8 +212,33 @@ class MyUriHelper:
 
     def scriptURI2StorageUri( self, scriptURI ):
         try:
-            myUri = self.m_uriRefFac.parse(scriptURI)
-            ret = self.m_baseUri + "/" + myUri.getName().replace( "|", "/" )
+            # base path to the python script location
+            sBaseUri = self.m_baseUri + "/"
+            xBaseUri = self.m_uriRefFac.parse(sBaseUri)
+
+            # path to the .py file + "$functionname, arguments, etc
+            xStorageUri = self.m_uriRefFac.parse(scriptURI)
+            sStorageUri = xStorageUri.getName().replace( "|", "/" );
+
+            # path to the .py file, relative to the base
+            sFileUri = sStorageUri[0:sStorageUri.find("$")]
+            xFileUri = self.m_uriRefFac.parse(sFileUri)
+            if not xFileUri:
+                message = "pythonscript: invalid relative uri '" + sFileUri+ "'"
+                log.debug( message )
+                raise RuntimeException( message )
+
+            # absolute path to the .py file
+            xAbsScriptUri = self.m_uriRefFac.makeAbsolute(xBaseUri, xFileUri, True, RETAIN)
+            sAbsScriptUri = xAbsScriptUri.getUriReference()
+
+            # ensure py file is under the base path
+            if not sAbsScriptUri.startswith(sBaseUri):
+                message = "pythonscript: storage uri '" + sAbsScriptUri + "' not in base uri '" + self.m_baseUri + "'"
+                log.debug( message )
+                raise RuntimeException( message )
+
+            ret = sBaseUri + sStorageUri
             log.debug( "converting scriptURI="+scriptURI + " to storageURI=" + ret )
             return ret
         except UnoException as e: