Let sysadmins disable individual file format filters

It makes sense to disable a filter, as a temporary security measure,
when there is a 0-day vulnerability in it.

E.g., when 0-day found in AbiWord filter, this config snippet disables it:
<item oor:path="/org.openoffice.TypeDetection.Filter">
    <node oor:name="Filters">
        <node oor:name="AbiWord">
            <prop oor:name="Enabled" oor:finalized="true">
                <value>false</value>
            </prop>
        </node>
    </node>
</item>

Change-Id: I8b84250c7e4aac3555877d23f58ed13a2210ebfc
Reviewed-on: https://gerrit.libreoffice.org/50961
Reviewed-by: Andras Timar <andras.timar@collabora.com>
Tested-by: Andras Timar <andras.timar@collabora.com>

9 files changed, 39 insertions, 8 deletions

diff --git a/filter/source/config/cache/constant.hxx b/filter/source/config/cache/constant.hxx
index 8f6b46e2fc38..c8a45889ee0e 100644
--- a/filter/source/config/cache/constant.hxx
+++ b/filter/source/config/cache/constant.hxx
@@ -58,6 +58,7 @@
 #define  PROPNAME_TEMPLATENAME      "TemplateName"
 #define  PROPNAME_FILEFORMATVERSION "FileFormatVersion"
 #define  PROPNAME_EXPORTEXTENSION   "ExportExtension"
+#define  PROPNAME_ENABLED           "Enabled"
 
 /** @short  used to identify a frame loader or detect service item
             property against the configuration API and can be used
diff --git a/filter/source/config/cache/filtercache.cxx b/filter/source/config/cache/filtercache.cxx
index e9b810b78a5b..8db4a79ff5af 100644
--- a/filter/source/config/cache/filtercache.cxx
+++ b/filter/source/config/cache/filtercache.cxx
@@ -63,10 +63,11 @@ FilterCache::FilterCache()
     , m_eFillState(E_CONTAINS_NOTHING                      )
 {
     int i = 0;
-    OUString sStandardProps[9];
+    OUString sStandardProps[10];
 
     sStandardProps[i++] = PROPNAME_USERDATA;
     sStandardProps[i++] = PROPNAME_TEMPLATENAME;
+    sStandardProps[i++] = PROPNAME_ENABLED;
     // E_READ_UPDATE only above
     sStandardProps[i++] = PROPNAME_TYPE;
     sStandardProps[i++] = PROPNAME_FILEFORMATVERSION;
@@ -79,9 +80,9 @@ FilterCache::FilterCache()
 
     // E_READ_NOTHING -> creative nothingness.
     m_aStandardProps[E_READ_STANDARD] =
-        css::uno::Sequence< OUString >(sStandardProps + 2, 7);
+        css::uno::Sequence< OUString >(sStandardProps + 3, 7);
     m_aStandardProps[E_READ_UPDATE] =
-        css::uno::Sequence< OUString >(sStandardProps, 2);
+        css::uno::Sequence< OUString >(sStandardProps, 3);
     m_aStandardProps[E_READ_ALL] =
         css::uno::Sequence< OUString >(sStandardProps,
                                        SAL_N_ELEMENTS(sStandardProps));
diff --git a/include/sfx2/docfilt.hxx b/include/sfx2/docfilt.hxx
index d5e0507d577a..2e8cc62c177d 100644
--- a/include/sfx2/docfilt.hxx
+++ b/include/sfx2/docfilt.hxx
@@ -60,6 +60,7 @@ class SFX2_DLLPUBLIC SfxFilter
     SfxFilterFlags  nFormatType;
     sal_Int32       nVersion;
     SotClipboardFormatId lFormat;
+    bool mbEnabled;
 
 public:
     SfxFilter( const OUString& rProvider, const OUString& rFilterName );
@@ -71,7 +72,8 @@ public:
                const OUString &rTypeName,
                const OUString &rMimeType,
                const OUString &rUserData,
-               const OUString& rServiceName );
+               const OUString& rServiceName,
+               bool bEnabled = true );
     ~SfxFilter();
 
     bool IsAllowedAsTemplate() const { return bool(nFormatType & SfxFilterFlags::TEMPLATE); }
@@ -115,6 +117,7 @@ public:
     /// @throws css::uno::RuntimeException
     static OUString GetTypeFromStorage(
         const css::uno::Reference<css::embed::XStorage>& xStorage );
+    bool IsEnabled() const  { return mbEnabled; }
 };
 
 #endif
diff --git a/include/vcl/errcode.hxx b/include/vcl/errcode.hxx
index 4116a792c43e..8f1ba5ffc912 100644
--- a/include/vcl/errcode.hxx
+++ b/include/vcl/errcode.hxx
@@ -226,6 +226,7 @@ enum class ErrCodeClass {
 #define ERRCODE_IO_WRITEPROTECTED        ErrCode( ErrCodeArea::Io, ErrCodeClass::Access, 37 )
 #define ERRCODE_IO_BROKENPACKAGE         ErrCode( ErrCodeArea::Io, ErrCodeClass::Format, 38 )
 #define ERRCODE_IO_NOTSTORABLEINBINARYFORMAT ErrCode( ErrCodeArea::Io, ErrCodeClass::Format, 39 )
+#define ERRCODE_IO_FILTERDISABLED        ErrCode( ErrCodeArea::Io, ErrCodeClass::Format, 40 )
 
 // StreamErrorCodes
 
diff --git a/officecfg/registry/schema/org/openoffice/TypeDetection/Filter.xcs b/officecfg/registry/schema/org/openoffice/TypeDetection/Filter.xcs
index d4d12de48425..5433e1349798 100644
--- a/officecfg/registry/schema/org/openoffice/TypeDetection/Filter.xcs
+++ b/officecfg/registry/schema/org/openoffice/TypeDetection/Filter.xcs
@@ -94,6 +94,14 @@
           this filter.</desc>
         </info>
       </prop>
+      <prop oor:name="Enabled" oor:type="xs:boolean" oor:nillable="false">
+        <info>
+          <desc>Whether the filter is enabled. It makes sense to disable a filter,
+          as a temporary security measure, when there is a 0-day vulnerability in
+          it.</desc>
+        </info>
+        <value>true</value>
+      </prop>
     </group>
   </templates>
   <component>
diff --git a/sfx2/source/bastyp/fltfnc.cxx b/sfx2/source/bastyp/fltfnc.cxx
index 5bbdfed0b7eb..c4eca2d5b0d8 100644
--- a/sfx2/source/bastyp/fltfnc.cxx
+++ b/sfx2/source/bastyp/fltfnc.cxx
@@ -920,6 +920,7 @@ void SfxFilterContainer::ReadSingleFilter_Impl(
         OUString sExtension          ;
         OUString sPattern            ;
         OUString sServiceName        ;
+        bool bEnabled = true         ;
 
         // first get directly available properties
         sal_Int32 nFilterPropertyCount = lFilterProperties.getLength();
@@ -1014,6 +1015,11 @@ void SfxFilterContainer::ReadSingleFilter_Impl(
                     }
                 }
             }
+            else if ( lFilterProperties[nFilterProperty].Name == "Enabled" )
+            {
+                lFilterProperties[nFilterProperty].Value >>= bEnabled;
+            }
+
         }
 
         if ( sServiceName.isEmpty() )
@@ -1050,7 +1056,8 @@ void SfxFilterContainer::ReadSingleFilter_Impl(
                                      sType                   ,
                                      sMimeType               ,
                                      sUserData               ,
-                                     sServiceName ));
+                                     sServiceName            ,
+                                     bEnabled ));
             rList.push_back( pFilter );
         }
         else
@@ -1064,6 +1071,7 @@ void SfxFilterContainer::ReadSingleFilter_Impl(
             pFilt->aMimeType    = sMimeType;
             pFilt->aUserData    = sUserData;
             pFilt->aServiceName = sServiceName;
+            pFilt->mbEnabled    = bEnabled;
         }
 
         SfxFilter* pFilt = const_cast<SfxFilter*>(pFilter.get());
diff --git a/sfx2/source/doc/docfilt.cxx b/sfx2/source/doc/docfilt.cxx
index 0bfefd65a59b..d4bb139993e0 100644
--- a/sfx2/source/doc/docfilt.cxx
+++ b/sfx2/source/doc/docfilt.cxx
@@ -43,7 +43,8 @@ SfxFilter::SfxFilter( const OUString& rProvider, const OUString &rFilterName ) :
     maProvider(rProvider),
     nFormatType(SfxFilterFlags::NONE),
     nVersion(0),
-    lFormat(SotClipboardFormatId::NONE)
+    lFormat(SotClipboardFormatId::NONE),
+    mbEnabled(true)
 {
 }
 
@@ -54,7 +55,8 @@ SfxFilter::SfxFilter( const OUString &rName,
                       const OUString &rTypNm,
                       const OUString &rMimeType,
                       const OUString &rUsrDat,
-                      const OUString &rServiceName ):
+                      const OUString &rServiceName,
+                      bool bEnabled ):
     aWildCard(rWildCard, ';'),
     aTypeName(rTypNm),
     aUserData(rUsrDat),
@@ -64,7 +66,8 @@ SfxFilter::SfxFilter( const OUString &rName,
     aUIName(maFilterName),
     nFormatType(nType),
     nVersion(SOFFICE_FILEFORMAT_50),
-    lFormat(lFmt)
+    lFormat(lFmt),
+    mbEnabled(bEnabled)
 {
     OUString aExts = GetWildcard().getGlob();
     OUString glob;
diff --git a/sfx2/source/doc/objstor.cxx b/sfx2/source/doc/objstor.cxx
index 5de8041192d4..feff5dfd91a1 100644
--- a/sfx2/source/doc/objstor.cxx
+++ b/sfx2/source/doc/objstor.cxx
@@ -646,6 +646,11 @@ bool SfxObjectShell::DoLoad( SfxMedium *pMed )
     pImpl->nLoadedFlags = SfxLoadedFlags::NONE;
     pImpl->bModelInitialized = false;
 
+    if (pFilter && !pFilter->IsEnabled())
+    {
+        SetError( ERRCODE_IO_FILTERDISABLED );
+    }
+
     // initialize static language table so language-related extensions are learned before the document loads
     (void)SvtLanguageTable::GetLanguageEntryCount();
 
diff --git a/svtools/inc/errtxt.hrc b/svtools/inc/errtxt.hrc
index b0c82246c807..d6e2c0008a1c 100644
--- a/svtools/inc/errtxt.hrc
+++ b/svtools/inc/errtxt.hrc
@@ -130,6 +130,7 @@ const ErrMsgCode RID_ERRHDL[] =
     { NC_("RID_ERRHDL", "Wrong checksum.") , ERRCODE_IO_BADCRC },
     { NC_("RID_ERRHDL", "Function not possible: write protected.") , ERRCODE_IO_WRITEPROTECTED },
     { NC_("RID_ERRHDL", "The password of a shared spreadsheet cannot be set or changed.\nDeactivate sharing mode first."), ERRCODE_SFX_SHARED_NOPASSWORDCHANGE },
+    { NC_("RID_ERRHDL", "The filter for this file format is disabled in configuration. Please contact your systems administrator."), ERRCODE_IO_FILTERDISABLED },
     { nullptr, ERRCODE_NONE }
 };