diff options
| author | Stephan Bergmann <sbergman@redhat.com> | 2013-11-14 10:39:27 +0100 |
|---|---|---|
| committer | Stephan Bergmann <sbergman@redhat.com> | 2013-11-14 11:13:25 +0100 |
| commit | f0a9ca24fd4bf79cac908bf0d6fdb8905dc504db (patch) | |
| tree | 5f16cbc9fd307ec3d9f290ea5b93f8ceb500c726 /cui | |
| parent | 96aca98168cba4b9055f2e2a16bb1a8f6f6e57ce (diff) | |
rhbz#887420 Implement "block untrusted referer links" feature
For now, this checks for a trusted referer (if the BlockUntrustedRefererLinks
configuration prop is set) in utl::MediaDescriptor::impl_openStreamWithURL and
SvxBrushItem::GetGraphicObject. Checking in additional places will probably be
necessary to block /all/ unwanted communication. Also, some places marked
/*TODO?*/ currently pass in an empty referer (which is always considered
trusted) and will probably need to be adapted.
Ideally, Referer URIs would never be empty (and consistently use something like
<private:user> for cases where access is explicitly initiated by the user and
should never be blocked), but that's a very daunting task, so start small by
identifying the places that potentially need blocking and adding appropriate
Referer URIs there. Also, Referer information should always be computed as
freshly as possible from the context in which an access attempt is made, but,
again, always carrying the information from the context all the way to the
relevant functions is a very daunting task, so for now store the information
upon object instantiation in some cases (SvxBrushItem, SdrGrafObj, ...).
The Referer URI (css.document.MediaDescriptor property; SID_REFERER) was already
used to track macro execution, and there is one place in
SfxApplication::OpenDocExec_Impl where opening of hyperlinks (explicitly clicked
by the user) is done that needs the current document's URI as Referer to check
execution of macro URIs but needs an empty (or <private:user>, see above)
Referer to not block non-macro URIs. Special code has been added there to
handle that.
Change-Id: Iafbdc07a9fe925d9ee580d4f5778448f18f2ebd9
Diffstat (limited to 'cui')
| -rw-r--r-- | cui/source/tabpages/backgrnd.cxx | 8 | ||||
| -rw-r--r-- | cui/source/tabpages/tpbitmap.cxx | 2 | ||||
| -rw-r--r-- | cui/source/tabpages/tpgradnt.cxx | 2 | ||||
| -rw-r--r-- | cui/source/tabpages/tphatch.cxx | 2 | ||||
| -rw-r--r-- | cui/source/tabpages/tpline.cxx | 2 | ||||
| -rw-r--r-- | cui/source/tabpages/tplnedef.cxx | 2 | ||||
| -rw-r--r-- | cui/source/tabpages/tplneend.cxx | 2 |
7 files changed, 10 insertions, 10 deletions
diff --git a/cui/source/tabpages/backgrnd.cxx b/cui/source/tabpages/backgrnd.cxx index e1e598ddb6a6..7948b6ca5066 100644 --- a/cui/source/tabpages/backgrnd.cxx +++ b/cui/source/tabpages/backgrnd.cxx @@ -843,7 +843,7 @@ sal_Bool SvxBackgroundTabPage::FillItemSet( SfxItemSet& rCoreSet ) SvxBrushItem aTmpBrush(nWhich); if ( bIsLink ) { - aTmpBrush = SvxBrushItem( aBgdGraphicPath, + aTmpBrush = SvxBrushItem( aBgdGraphicPath, ""/*TODO?*/, aBgdGraphicFilter, eNewPos, nWhich ); @@ -881,7 +881,7 @@ sal_Bool SvxBackgroundTabPage::FillItemSet( SfxItemSet& rCoreSet ) SvxBrushItem* pTmpBrush = 0; if ( m_pBtnLink->IsChecked() ) { - pTmpBrush = new SvxBrushItem( aBgdGraphicPath, + pTmpBrush = new SvxBrushItem( aBgdGraphicPath, ""/*TODO?*/, aBgdGraphicFilter, GetGraphicPosition_Impl(), nWhich ); @@ -1665,7 +1665,7 @@ IMPL_LINK( SvxBackgroundTabPage, TblDestinationHdl_Impl, ListBox*, pBox ) bIsGraphicValid = LoadLinkedGraphic_Impl(); if ( bIsLink ) - *pActItem = SvxBrushItem( aBgdGraphicPath, + *pActItem = SvxBrushItem( aBgdGraphicPath, ""/*TODO?*/, aBgdGraphicFilter, eNewPos, pActItem->Which() ); @@ -1746,7 +1746,7 @@ IMPL_LINK( SvxBackgroundTabPage, ParaDestinationHdl_Impl, ListBox*, pBox ) bIsGraphicValid = LoadLinkedGraphic_Impl(); if ( bIsLink ) - *pActItem = SvxBrushItem( aBgdGraphicPath, + *pActItem = SvxBrushItem( aBgdGraphicPath, ""/*TODO?*/, aBgdGraphicFilter, eNewPos, pActItem->Which() ); diff --git a/cui/source/tabpages/tpbitmap.cxx b/cui/source/tabpages/tpbitmap.cxx index 89a51a8b26f2..d3647e30cab4 100644 --- a/cui/source/tabpages/tpbitmap.cxx +++ b/cui/source/tabpages/tpbitmap.cxx @@ -792,7 +792,7 @@ IMPL_LINK_NOARG(SvxBitmapTabPage, ClickLoadHdl_Impl) // save table XBitmapListRef pBmpList = XPropertyList::CreatePropertyList( - XBITMAP_LIST, aPathURL.GetMainURL( INetURLObject::NO_DECODE ) )->AsBitmapList(); + XBITMAP_LIST, aPathURL.GetMainURL( INetURLObject::NO_DECODE ), "" )->AsBitmapList(); pBmpList->SetName( aURL.getName() ); if( pBmpList->Load() ) { diff --git a/cui/source/tabpages/tpgradnt.cxx b/cui/source/tabpages/tpgradnt.cxx index 6a2a70bfa5c8..001c042c4d23 100644 --- a/cui/source/tabpages/tpgradnt.cxx +++ b/cui/source/tabpages/tpgradnt.cxx @@ -646,7 +646,7 @@ IMPL_LINK_NOARG(SvxGradientTabPage, ClickLoadHdl_Impl) // save list XGradientListRef pGrdList = XPropertyList::CreatePropertyList( - XGRADIENT_LIST, aPathURL.GetMainURL( INetURLObject::NO_DECODE ) )->AsGradientList(); + XGRADIENT_LIST, aPathURL.GetMainURL( INetURLObject::NO_DECODE ), "" )->AsGradientList(); pGrdList->SetName( aURL.getName() ); if ( pGrdList->Load() ) diff --git a/cui/source/tabpages/tphatch.cxx b/cui/source/tabpages/tphatch.cxx index 1021f629120a..d6c4d60575b2 100644 --- a/cui/source/tabpages/tphatch.cxx +++ b/cui/source/tabpages/tphatch.cxx @@ -686,7 +686,7 @@ IMPL_LINK_NOARG(SvxHatchTabPage, ClickLoadHdl_Impl) aPathURL.removeFinalSlash(); XHatchListRef pHatchList = XPropertyList::CreatePropertyList( - XHATCH_LIST, aPathURL.GetMainURL( INetURLObject::NO_DECODE ) )->AsHatchList(); + XHATCH_LIST, aPathURL.GetMainURL( INetURLObject::NO_DECODE ), "" )->AsHatchList(); pHatchList->SetName( aURL.getName() ); if( pHatchList->Load() ) { diff --git a/cui/source/tabpages/tpline.cxx b/cui/source/tabpages/tpline.cxx index 458b6b920d93..a5a9cdc752fb 100644 --- a/cui/source/tabpages/tpline.cxx +++ b/cui/source/tabpages/tpline.cxx @@ -266,7 +266,7 @@ void SvxLineTabPage::InitSymbols(MenuButton* pButton) pUIName = &aPhysicalName; } - SvxBrushItem* pBrushItem = new SvxBrushItem(*it, aEmptyStr, GPOS_AREA, SID_ATTR_BRUSH); + SvxBrushItem* pBrushItem = new SvxBrushItem(*it, ""/*TODO?*/, aEmptyStr, GPOS_AREA, SID_ATTR_BRUSH); pBrushItem->SetDoneLink(STATIC_LINK(this, SvxLineTabPage, GraphicArrivedHdl_Impl)); SvxBmpItemInfo* pInfo = new SvxBmpItemInfo(); diff --git a/cui/source/tabpages/tplnedef.cxx b/cui/source/tabpages/tplnedef.cxx index 57d612f1d9e7..1d09382d4c4d 100644 --- a/cui/source/tabpages/tplnedef.cxx +++ b/cui/source/tabpages/tplnedef.cxx @@ -749,7 +749,7 @@ IMPL_LINK_NOARG(SvxLineDefTabPage, ClickLoadHdl_Impl) aPathURL.removeSegment(); aPathURL.removeFinalSlash(); - XDashListRef pDshLst = XPropertyList::CreatePropertyList( XDASH_LIST, aPathURL.GetMainURL( INetURLObject::NO_DECODE ) )->AsDashList(); + XDashListRef pDshLst = XPropertyList::CreatePropertyList( XDASH_LIST, aPathURL.GetMainURL( INetURLObject::NO_DECODE ), "" )->AsDashList(); pDshLst->SetName( aURL.getName() ); if( pDshLst->Load() ) diff --git a/cui/source/tabpages/tplneend.cxx b/cui/source/tabpages/tplneend.cxx index ecaae0a2fa1f..bb3a0967c913 100644 --- a/cui/source/tabpages/tplneend.cxx +++ b/cui/source/tabpages/tplneend.cxx @@ -569,7 +569,7 @@ IMPL_LINK_NOARG(SvxLineEndDefTabPage, ClickLoadHdl_Impl) aPathURL.removeSegment(); aPathURL.removeFinalSlash(); - XLineEndListRef pLeList = XPropertyList::CreatePropertyList(XLINE_END_LIST, aPathURL.GetMainURL( INetURLObject::NO_DECODE ) )->AsLineEndList(); + XLineEndListRef pLeList = XPropertyList::CreatePropertyList(XLINE_END_LIST, aPathURL.GetMainURL( INetURLObject::NO_DECODE ), "" )->AsLineEndList(); pLeList->SetName( aURL.getName() ); if( pLeList->Load() ) { |