summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLászló Németh <nemeth@numbertext.org>2019-06-06 14:25:32 +0200
committerThorsten Behrens <Thorsten.Behrens@CIB.de>2019-08-30 22:53:57 +0200
commit1be871b9e6f8df0126a8a67bd6b98f9f7f36fd48 (patch)
treeecd4e527fd79f672d03bfec0f8f5fa89a8868d78
parente9e9a5870167a8371ff71752e125bfdab546e214 (diff)
sanitize LibreLogo calls
Reviewed-on: https://gerrit.libreoffice.org/73627 Tested-by: Jenkins Reviewed-by: László Németh <nemeth@numbertext.org> (cherry picked from commit 1b63fa32bbd4a5b89d2ee3a53b28de4250c8dad3) (cherry picked from commit a781c5e2733ce5c975721fc6d46ff72e8cda3956) Change-Id: Ie4d9858e5b4b3e55ab08416fb9338d2df34ee5e1
-rw-r--r--librelogo/source/LibreLogo/LibreLogo.py51
1 files changed, 50 insertions, 1 deletions
diff --git a/librelogo/source/LibreLogo/LibreLogo.py b/librelogo/source/LibreLogo/LibreLogo.py
index d44ffa194a6d..dcbb37337454 100644
--- a/librelogo/source/LibreLogo/LibreLogo.py
+++ b/librelogo/source/LibreLogo/LibreLogo.py
@@ -67,6 +67,7 @@ __LineStyle_DOTTED__ = 2
class __Doc__:
def __init__(self, doc):
self.doc = doc
+ self.secure = False
try:
self.drawpage = doc.DrawPage # Writer
except:
@@ -381,10 +382,58 @@ class LogoProgram(threading.Thread):
self.code = code
threading.Thread.__init__(self)
+ def secure(self):
+ # 0 = secure
+ if _.secure:
+ return 0
+
+ # 1 = forms, fields or embedded objects are forbidden
+ if _.doc.DrawPage.Forms.getCount() > 0 or _.doc.getTextFields().createEnumeration().hasMoreElements() or _.doc.getEmbeddedObjects().getCount() > 0:
+ return 1
+
+ # 2 = hyperlinks with script events
+ nodes = _.doc.Text.createEnumeration()
+ while nodes.hasMoreElements():
+ node = nodes.nextElement()
+ if node.supportsService("com.sun.star.text.Paragraph"):
+ portions = node.createEnumeration()
+ while portions.hasMoreElements():
+ portion = portions.nextElement()
+ if portion.PropertySetInfo.hasPropertyByName("HyperLinkEvents"):
+ events = portion.getPropertyValue("HyperLinkEvents")
+ for event in events.getElementNames():
+ attributes = events.getByName(event)
+ for attribute in attributes:
+ if attribute.Name == "EventType" and attribute.Value == "Script":
+ return 2
+
+ # 2 = images with script events
+ images = _.doc.DrawPage.createEnumeration()
+ while images.hasMoreElements():
+ image = images.nextElement()
+ try:
+ events = image.Events
+ for event in events.getElementNames():
+ attributes = events.getByName(event)
+ for attribute in attributes:
+ if attribute.Name == "EventType" and attribute.Value == "Script":
+ return 2
+ except:
+ pass
+
+ _.secure = True
+ return 0
+
def run(self):
global __thread__
try:
- exec(self.code)
+ # check document security
+ secid = self.secure()
+ if secid > 0:
+ parent = _.doc.CurrentController.Frame.ContainerWindow
+ MessageBox(parent, "Document objects with%s script events" % [" possible", ""][secid-1], "LibreLogo program can't start", "errorbox")
+ else:
+ exec(self.code)
if _.origcursor:
__dispatcher__(".uno:Escape")
try: