From 292fe2f32df0e9096e63383eb45924eceb2179db Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>

Date: Tue, 23 Jul 2019 15:31:05 +0100

Subject: [PATCH 2/3] expand LibreLogo check to global events

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

Reviewed-on: https://gerrit.libreoffice.org/76189

Reviewed-by: Caolán McNamara <caolanm@redhat.com>

Tested-by: Caolán McNamara <caolanm@redhat.com>

(cherry picked from commit 4a66c7eda6ccde26a42c4e31725248c59940255d)

Change-Id: I7f436983ba0eb4b76b02d08ee52626e54b103d5f

Reviewed-on: https://gerrit.libreoffice.org/76305

Reviewed-by: Thorsten Behrens <Thorsten.Behrens@CIB.de>

Tested-by: Thorsten Behrens <Thorsten.Behrens@CIB.de>

---

 include/sfx2/objsh.hxx               |  2 ++

 sfx2/source/doc/objmisc.cxx          |  6 +-----

 sfx2/source/notify/eventsupplier.cxx | 18 ++++++++++++------

 3 files changed, 15 insertions(+), 11 deletions(-)

diff --git a/include/sfx2/objsh.hxx b/include/sfx2/objsh.hxx

index d04758567c80..ed09fc6e2acb 100644

--- a/include/sfx2/objsh.hxx

+++ b/include/sfx2/objsh.hxx

@@ -404,6 +404,8 @@ public:

     */

     bool                        AdjustMacroMode();

+    static bool                 UnTrustedScript(const OUString& rScriptURL);

+

     SvKeyValueIterator*         GetHeaderAttributes();

     void                        ClearHeaderAttributesForSourceViewHack();

     void                        SetHeaderAttributesForSourceViewHack();

diff --git a/sfx2/source/doc/objmisc.cxx b/sfx2/source/doc/objmisc.cxx

index 7e9288524b34..9b82742302ab 100644

--- a/sfx2/source/doc/objmisc.cxx

+++ b/sfx2/source/doc/objmisc.cxx

@@ -1348,10 +1348,8 @@ namespace

     }

 }

-namespace {

-

 // don't allow LibreLogo to be used with our mouseover/etc dom-alike events

-bool UnTrustedScript(const OUString& rScriptURL)

+bool SfxObjectShell::UnTrustedScript(const OUString& rScriptURL)

 {

     if (!rScriptURL.startsWith("vnd.sun.star.script:"))

         return false;

@@ -1382,8 +1380,6 @@ bool UnTrustedScript(const OUString& rScriptURL)

     return false;

 }

-}

-

 ErrCode SfxObjectShell::CallXScript( const Reference< XInterface >& _rxScriptContext, const OUString& _rScriptURL,

     const Sequence< Any >& aParams, Any& aRet, Sequence< sal_Int16 >& aOutParamIndex, Sequence< Any >& aOutParam, bool bRaiseError, const css::uno::Any* pCaller )

 {

diff --git a/sfx2/source/notify/eventsupplier.cxx b/sfx2/source/notify/eventsupplier.cxx

index 78667a1d8036..2656e9c213ec 100644

--- a/sfx2/source/notify/eventsupplier.cxx

+++ b/sfx2/source/notify/eventsupplier.cxx

@@ -207,18 +207,24 @@ void SfxEvents_Impl::Execute( uno::Any const & aEventData, const document::Docum

         else if (aType == "Service" ||

                   aType == "Script")

         {

-            if ( !aScript.isEmpty() )

+            bool bAllowed = false;

+            util::URL aURL;

+            if (!aScript.isEmpty())

             {

-                SfxViewFrame* pView = pDoc ?

-                    SfxViewFrame::GetFirst( pDoc ) :

-                    SfxViewFrame::Current();

-

                 uno::Reference < util::XURLTransformer > xTrans( util::URLTransformer::create( ::comphelper::getProcessComponentContext() ) );

-                util::URL aURL;

                 aURL.Complete = aScript;

                 xTrans->parseStrict( aURL );

+                bAllowed = !SfxObjectShell::UnTrustedScript(aURL.Complete);

+            }

+

+            if (bAllowed)

+            {

+                SfxViewFrame* pView = pDoc ?

+                    SfxViewFrame::GetFirst( pDoc ) :

+                    SfxViewFrame::Current();

+

                 uno::Reference

                     < frame::XDispatchProvider > xProv;

-- 

2.21.0