From 6e582e8b5e528ee4c1e40296e34631a013a89e1b Mon Sep 17 00:00:00 2001 From: Stephan Bergmann Date: Tue, 11 Jun 2024 14:15:47 +0200 Subject: [PATCH] [PATCH] Some missing "block untrusted referer links" for form controls ...where "Referer" is now passed in as an additional property, so that the relevant objects can decide whether to obtain graphics while loading a document Change-Id: Ie3dabc574861713212b906a0d7793f438a7d50a8 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/168674 Tested-by: Jenkins Reviewed-by: Stephan Bergmann (cherry picked from commit dc01a6e7efd3e4c41287dc10c7ea1fdfa1ab5cb5) [backport] Prepare CVE-2024-12426 fixes origin: https://github.com/LibreOffice/core/commit/a32a6301e4ba0c979f5a6b593062749654f3c320 Gbp-Pq: Name CVE-2024-12426_1.patch --- forms/source/component/ImageControl.cxx | 7 +++++++ forms/source/component/clickableimage.cxx | 9 +++++++-- include/toolkit/controls/unocontrols.hxx | 2 +- include/toolkit/helper/property.hxx | 1 + toolkit/source/awt/vclxwindows.cxx | Bin 236836 -> 236888 bytes toolkit/source/controls/dialogcontrol.cxx | 4 ++-- toolkit/source/controls/unocontrols.cxx | 13 +++++++++---- toolkit/source/helper/property.cxx | 2 ++ xmloff/source/forms/elementimport.cxx | 9 +++++++++ 9 files changed, 38 insertions(+), 9 deletions(-) diff --git a/forms/source/component/ImageControl.cxx b/forms/source/component/ImageControl.cxx index 97928cff6fa..98a8acd7404 100644 --- a/forms/source/component/ImageControl.cxx +++ b/forms/source/component/ImageControl.cxx @@ -51,6 +51,7 @@ #include #include #include +#include #include #include @@ -389,6 +390,12 @@ void OImageControlModel::read(const Reference& _rxInStream) bool OImageControlModel::impl_updateStreamForURL_lck( const OUString& _rURL, ValueChangeInstigator _eInstigator ) { + OUString referer; + getPropertyValue("Referer") >>= referer; + if (SvtSecurityOptions().isUntrustedReferer(referer)) { + return false; + } + // create a stream for the image specified by the URL std::unique_ptr< SvStream > pImageStream; Reference< XInputStream > xImageStream; diff --git a/forms/source/component/clickableimage.cxx b/forms/source/component/clickableimage.cxx index 68861e42cf3..a8c63050813 100644 --- a/forms/source/component/clickableimage.cxx +++ b/forms/source/component/clickableimage.cxx @@ -46,6 +46,7 @@ #include #include #include +#include #define LOCAL_URL_PREFIX '#' @@ -763,8 +764,12 @@ namespace frm m_bProdStarted = false; - // Kick off download (caution: can be synchronous). - m_pMedium->Download(LINK(this, OClickableImageBaseModel, DownloadDoneLink)); + OUString referer; + getPropertyValue("Referer") >>= referer; + if (!SvtSecurityOptions().isUntrustedReferer(referer)) { + // Kick off download (caution: can be synchronous). + m_pMedium->Download(LINK(this, OClickableImageBaseModel, DownloadDoneLink)); + } } else { diff --git a/include/toolkit/controls/unocontrols.hxx b/include/toolkit/controls/unocontrols.hxx index eb75d36b6e9..a9474075ea9 100644 --- a/include/toolkit/controls/unocontrols.hxx +++ b/include/toolkit/controls/unocontrols.hxx @@ -69,7 +69,7 @@ public: // appropriately ( e.g. NULL if non GraphicObject scheme ) or a valid // object if the rURL points to a valid object static css::uno::Reference< css::graphic::XGraphic > getGraphicAndGraphicObjectFromURL_nothrow( css::uno::Reference< css::graphic::XGraphicObject >& xOutGraphicObject, const OUString& _rURL ); - static css::uno::Reference< css::graphic::XGraphic > getGraphicFromURL_nothrow( const OUString& _rURL ); + static css::uno::Reference< css::graphic::XGraphic > getGraphicFromURL_nothrow( const OUString& _rURL, OUString const & referer ); }; diff --git a/include/toolkit/helper/property.hxx b/include/toolkit/helper/property.hxx index efc924a1ad2..196548abcc8 100644 --- a/include/toolkit/helper/property.hxx +++ b/include/toolkit/helper/property.hxx @@ -208,6 +208,7 @@ namespace uno { #define BASEPROPERTY_ACTIVE_SEL_TEXT_COLOR 167 #define BASEPROPERTY_INACTIVE_SEL_TEXT_COLOR 168 #define BASEPROPERTY_TYPEDITEMLIST 169 // AnySequence +#define BASEPROPERTY_REFERER 172 // These properties are not bound, they are always extracted from the BASEPROPERTY_FONTDESCRIPTOR property diff --git a/toolkit/source/awt/vclxwindows.cxx b/toolkit/source/awt/vclxwindows.cxx index b97988934e22d110f6d281cd94183130863c101c..e5b091d5d6c287acfb08a76bee5c8c5cb48fc697 100644 GIT binary patch delta 48 zcmZ3oi|@uRz6}TECpQELuoiiy6zfbYV-#Tu(wQz;#Awp|M!x-xJR=Y@ZGR)rY*7mU D%8U{6 delta 26 gcmcbyi*Ly;z6}TEo4?Apf0bthVy5k1<(ZRf0kDk>8vp #include #include +#include // for introspection #include @@ -60,14 +61,14 @@ uno::Reference< graphic::XGraphic > ImageHelper::getGraphicAndGraphicObjectFromURL_nothrow( uno::Reference< graphic::XGraphicObject >& xOutGraphicObj, const OUString& _rURL ) { xOutGraphicObj = nullptr; - return ImageHelper::getGraphicFromURL_nothrow( _rURL ); + return ImageHelper::getGraphicFromURL_nothrow( _rURL, "" ); } css::uno::Reference< css::graphic::XGraphic > -ImageHelper::getGraphicFromURL_nothrow( const OUString& _rURL ) +ImageHelper::getGraphicFromURL_nothrow( const OUString& _rURL, OUString const & referer ) { uno::Reference< graphic::XGraphic > xGraphic; - if ( _rURL.isEmpty() ) + if ( _rURL.isEmpty() || SvtSecurityOptions().isUntrustedReferer(referer) ) return xGraphic; try @@ -609,7 +610,11 @@ void SAL_CALL GraphicControlModel::setFastPropertyValue_NoBroadcast( sal_Int32 n mbAdjustingGraphic = true; OUString sImageURL; OSL_VERIFY( rValue >>= sImageURL ); - setDependentFastPropertyValue( BASEPROPERTY_GRAPHIC, uno::makeAny( ImageHelper::getGraphicFromURL_nothrow( sImageURL ) ) ); + css::uno::Any any; + getFastPropertyValue(any, BASEPROPERTY_REFERER); + OUString referer; + any >>= referer; + setDependentFastPropertyValue( BASEPROPERTY_GRAPHIC, uno::makeAny( ImageHelper::getGraphicFromURL_nothrow( sImageURL, referer ) ) ); mbAdjustingGraphic = false; } break; diff --git a/toolkit/source/helper/property.cxx b/toolkit/source/helper/property.cxx index c3b67df41ac..cb3face4bf6 100644 --- a/toolkit/source/helper/property.cxx +++ b/toolkit/source/helper/property.cxx @@ -267,6 +267,8 @@ static ImplPropertyInfo* ImplGetPropertyInfos( sal_uInt16& rElementCount ) DECL_PROP_3 ( "InactiveSelectionBackgroundColor", INACTIVE_SEL_BACKGROUND_COLOR, sal_Int32, BOUND, MAYBEDEFAULT, MAYBEVOID ), DECL_PROP_3 ( "ActiveSelectionTextColor", ACTIVE_SEL_TEXT_COLOR, sal_Int32, BOUND, MAYBEDEFAULT, MAYBEVOID ), DECL_PROP_3 ( "InactiveSelectionTextColor", INACTIVE_SEL_TEXT_COLOR, sal_Int32, BOUND, MAYBEDEFAULT, MAYBEVOID ), + + DECL_PROP_2("Referer", REFERER, OUString, BOUND, MAYBEVOID), }; rElementCount = SAL_N_ELEMENTS(aImplPropertyInfos); return aImplPropertyInfos; diff --git a/xmloff/source/forms/elementimport.cxx b/xmloff/source/forms/elementimport.cxx index 622d7101863..7b4c81f21f5 100644 --- a/xmloff/source/forms/elementimport.cxx +++ b/xmloff/source/forms/elementimport.cxx @@ -558,6 +558,15 @@ namespace xmloff OSL_ENSURE(xPure.is(), OStringBuffer("OElementImport::createElement: service factory gave me no object (service name: ").append(OUStringToOString(m_sServiceName, RTL_TEXTENCODING_ASCII_US)).append(")!").getStr()); xReturn.set(xPure, UNO_QUERY); + if (auto const props = Reference(xPure, css::uno::UNO_QUERY)) + { + try { + props->setPropertyValue( + "Referer", css::uno::Any(m_rFormImport.getGlobalContext().GetBaseURL())); + } catch (css::uno::Exception &) { + TOOLS_INFO_EXCEPTION("xmloff.forms", "setPropertyValue Referer failed"); + } + } } else OSL_FAIL("OElementImport::createElement: no service name to create an element!"); -- 2.30.2