diff options
author | László Németh <nemeth@numbertext.org> | 2019-06-06 14:25:32 +0200 |
---|---|---|
committer | Michael Stahl <Michael.Stahl@cib.de> | 2019-06-17 16:13:30 +0200 |
commit | f417038e7a5cfef52bc4fc1b8c2d8b50f641ad6d (patch) | |
tree | b4ba3c409b0900ce29610f5f211119c0c45f0085 | |
parent | 19c369ce16149b521a55e430d8eb1bd87f0c9655 (diff) |
sanitize LibreLogo calls
Change-Id: Ie4d9858e5b4b3e55ab08416fb9338d2df34ee5e1
Reviewed-on: https://gerrit.libreoffice.org/73627
Tested-by: Jenkins
Reviewed-by: László Németh <nemeth@numbertext.org>
(cherry picked from commit 1b63fa32bbd4a5b89d2ee3a53b28de4250c8dad3)
-rw-r--r-- | librelogo/source/LibreLogo/LibreLogo.py | 51 |
1 files changed, 50 insertions, 1 deletions
diff --git a/librelogo/source/LibreLogo/LibreLogo.py b/librelogo/source/LibreLogo/LibreLogo.py index 57d385b41ca1..960d48a97e81 100644 --- a/librelogo/source/LibreLogo/LibreLogo.py +++ b/librelogo/source/LibreLogo/LibreLogo.py @@ -145,6 +145,7 @@ __LineStyle_DOTTED__ = 2 class __Doc__: def __init__(self, doc): self.doc = doc + self.secure = False try: self.drawpage = doc.DrawPage # Writer except: @@ -463,10 +464,58 @@ class LogoProgram(threading.Thread): self.code = code threading.Thread.__init__(self) + def secure(self): + # 0 = secure + if _.secure: + return 0 + + # 1 = forms, fields or embedded objects are forbidden + if _.doc.DrawPage.Forms.getCount() > 0 or _.doc.getTextFields().createEnumeration().hasMoreElements() or _.doc.getEmbeddedObjects().getCount() > 0: + return 1 + + # 2 = hyperlinks with script events + nodes = _.doc.Text.createEnumeration() + while nodes.hasMoreElements(): + node = nodes.nextElement() + if node.supportsService("com.sun.star.text.Paragraph"): + portions = node.createEnumeration() + while portions.hasMoreElements(): + portion = portions.nextElement() + if portion.PropertySetInfo.hasPropertyByName("HyperLinkEvents"): + events = portion.getPropertyValue("HyperLinkEvents") + for event in events.getElementNames(): + attributes = events.getByName(event) + for attribute in attributes: + if attribute.Name == "EventType" and attribute.Value == "Script": + return 2 + + # 2 = images with script events + images = _.doc.DrawPage.createEnumeration() + while images.hasMoreElements(): + image = images.nextElement() + try: + events = image.Events + for event in events.getElementNames(): + attributes = events.getByName(event) + for attribute in attributes: + if attribute.Name == "EventType" and attribute.Value == "Script": + return 2 + except: + pass + + _.secure = True + return 0 + def run(self): global __thread__ try: - exec(self.code) + # check document security + secid = self.secure() + if secid > 0: + parent = _.doc.CurrentController.Frame.ContainerWindow + MessageBox(parent, "Document objects with%s script events" % [" possible", ""][secid-1], "LibreLogo program can't start", "errorbox") + else: + exec(self.code) if _.origcursor[0] and _.origcursor[1]: __dispatcher__(".uno:Escape") try: |