[Libreoffice-commits] core.git: Branch 'distro/lhm/libreoffice-4-1-6+backports' - 3 commits - scripting/source sfx2/source

Caolán McNamara (via logerrit) logerrit at kemper.freedesktop.org
Wed Aug 7 15:57:07 UTC 2019 

 scripting/source/protocolhandler/scripthandler.cxx |    9 ++++++-
 scripting/source/pyprov/pythonscript.py            |    4 ++-
 sfx2/source/doc/objmisc.cxx                        |   24 ++++++++++++---------
 3 files changed, 24 insertions(+), 13 deletions(-)

New commits:
commit 74ec7d9dcd8e8d9189f3f77a2517f8e6355c6173
Author:     Caolán McNamara <caolanm at redhat.com>
AuthorDate: Wed Aug 7 12:58:01 2019 +0100
Commit:     Michael Stahl <Michael.Stahl at cib.de>
CommitDate: Wed Aug 7 17:42:05 2019 +0200

    expand pyuno path separators
    
    Change-Id: Ic97649ed6d4be595b308922c7bdc880cbb60b239
    Reviewed-on: https://gerrit.libreoffice.org/77102
    Reviewed-by: Michael Stahl <Michael.Stahl at cib.de>
    Tested-by: Jenkins
    Reviewed-by: Stephan Bergmann <sbergman at redhat.com>
    (cherry picked from commit 75903a0298218f89a199a5ac151ee0166f4469d7)

diff --git a/sfx2/source/doc/objmisc.cxx b/sfx2/source/doc/objmisc.cxx
index d75bdc9b8cf7..1213855558ad 100644
--- a/sfx2/source/doc/objmisc.cxx
+++ b/sfx2/source/doc/objmisc.cxx
@@ -1537,7 +1537,8 @@ bool SfxObjectShell::UnTrustedScript(const OUString& rScriptURL)
     if (!sfUri.is())
         return false;
 
-    OUString sScript = sfUri->getName();
+    // pyuno encodes path separator as |
+    OUString sScript = sfUri->getName().replace('|', '/');
 
     // check if any path portion matches LibreLogo and ban it if it does
     sal_Int32 nIndex = 0;
commit e19bca460d5302947916ffab1d454ade6003e0d8
Author:     Stephan Bergmann <sbergman at redhat.com>
AuthorDate: Tue Aug 6 13:29:22 2019 +0200
Commit:     Michael Stahl <Michael.Stahl at cib.de>
CommitDate: Wed Aug 7 17:42:05 2019 +0200

    Properly obtain location
    
    Reviewed-on: https://gerrit.libreoffice.org/77019
    Tested-by: Jenkins
    Reviewed-by: Stephan Bergmann <sbergman at redhat.com>
    (cherry picked from commit a9cde2557242a0c343d99533f3ee032599c66f42)
    Reviewed-on: https://gerrit.libreoffice.org/77023
    Reviewed-by: Caolán McNamara <caolanm at redhat.com>
    Tested-by: Caolán McNamara <caolanm at redhat.com>
    (cherry picked from commit 28c6af3ddc283ca9c5712359a9abcb385c1575b4)
    
    Change-Id: I9fb0d883a3623394343cd54ef61e5610544198c8

diff --git a/scripting/source/protocolhandler/scripthandler.cxx b/scripting/source/protocolhandler/scripthandler.cxx
index 43128f2a82ad..dfe376d5d25d 100644
--- a/scripting/source/protocolhandler/scripthandler.cxx
+++ b/scripting/source/protocolhandler/scripthandler.cxx
@@ -51,6 +51,7 @@
 #include "com/sun/star/uri/XUriReference.hpp"
 #include "com/sun/star/uri/UriReferenceFactory.hpp"
 #include "com/sun/star/uri/XVndSunStarScriptUrl.hpp"
+#include <com/sun/star/uri/XVndSunStarScriptUrlReference.hpp>
 
 using namespace ::com::sun::star;
 using namespace ::com::sun::star::uno;
@@ -147,8 +148,12 @@ void SAL_CALL ScriptProtocolHandler::dispatchWithNotification(
     {
         try
         {
-            bool bIsDocumentScript = ( aURL.Complete.indexOfAsciiL( RTL_CONSTASCII_STRINGPARAM( "document" ) ) !=-1 );
-                // TODO: isn't this somewhat strange? This should be a test for a location=document parameter, shouldn't it?
+            css::uno::Reference<css::uri::XUriReferenceFactory> urifac(
+                css::uri::UriReferenceFactory::create(m_xContext));
+            css::uno::Reference<css::uri::XVndSunStarScriptUrlReference> uri(
+                urifac->parse(aURL.Complete), css::uno::UNO_QUERY_THROW);
+            auto const loc = uri->getParameter("location");
+            bool bIsDocumentScript = loc == "document";
 
             if ( bIsDocumentScript )
             {
diff --git a/sfx2/source/doc/objmisc.cxx b/sfx2/source/doc/objmisc.cxx
index aafe8755a627..d75bdc9b8cf7 100644
--- a/sfx2/source/doc/objmisc.cxx
+++ b/sfx2/source/doc/objmisc.cxx
@@ -1560,19 +1560,22 @@ ErrCode SfxObjectShell::CallXScript( const Reference< XInterface >& _rxScriptCon
     OSL_TRACE( "in CallXScript" );
     ErrCode nErr = ERRCODE_NONE;
 
-    bool bIsDocumentScript = ( _rScriptURL.indexOfAsciiL( RTL_CONSTASCII_STRINGPARAM( "location=document" ) ) >= 0 );
-        // TODO: we should parse the URL, and check whether there is a parameter with this name.
-        // Otherwise, we might find too much.
-    if ( bIsDocumentScript && !lcl_isScriptAccessAllowed_nothrow( _rxScriptContext ) )
-        return ERRCODE_IO_ACCESSDENIED;
-
-    if ( UnTrustedScript(_rScriptURL) )
-        return ERRCODE_IO_ACCESSDENIED;
-
     bool bCaughtException = false;
     Any aException;
     try
     {
+        css::uno::Reference<css::uri::XUriReferenceFactory> urifac(
+            css::uri::UriReferenceFactory::create(comphelper::getProcessComponentContext()));
+        css::uno::Reference<css::uri::XVndSunStarScriptUrlReference> uri(
+            urifac->parse(_rScriptURL), css::uno::UNO_QUERY_THROW);
+        auto const loc = uri->getParameter("location");
+        bool bIsDocumentScript = loc == "document";
+        if ( bIsDocumentScript && !lcl_isScriptAccessAllowed_nothrow( _rxScriptContext ) )
+            return ERRCODE_IO_ACCESSDENIED;
+
+        if ( UnTrustedScript(_rScriptURL) )
+            return ERRCODE_IO_ACCESSDENIED;
+
         // obtain/create a script provider
         Reference< provider::XScriptProvider > xScriptProvider;
         Reference< provider::XScriptProviderSupplier > xSPS( _rxScriptContext, UNO_QUERY );
commit adb9858a4278e75bc4fb3fdbde56e77a158e915d
Author:     Stephan Bergmann <sbergman at redhat.com>
AuthorDate: Sat Aug 3 16:37:48 2019 +0100
Commit:     Michael Stahl <Michael.Stahl at cib.de>
CommitDate: Wed Aug 7 17:19:31 2019 +0200

    keep name percent-encoded
    
    Change-Id: I470c4b24192c3e3c9b556a9bbb3b084359e0033b
    Reviewed-on: https://gerrit.libreoffice.org/77006
    Tested-by: Jenkins
    Reviewed-by: Caolán McNamara <caolanm at redhat.com>
    Tested-by: Caolán McNamara <caolanm at redhat.com>
    (cherry picked from commit 315c51731384230194af26b86a976bf5d06c9dcc)

diff --git a/scripting/source/pyprov/pythonscript.py b/scripting/source/pyprov/pythonscript.py
index 584cb7792b63..5f13f5fd9c07 100755
--- a/scripting/source/pyprov/pythonscript.py
+++ b/scripting/source/pyprov/pythonscript.py
@@ -209,7 +209,9 @@ class MyUriHelper:
 
             # path to the .py file + "$functionname, arguments, etc
             xStorageUri = self.m_uriRefFac.parse(scriptURI)
-            sStorageUri = xStorageUri.getName().replace( "|", "/" );
+            # getName will apply url-decoding to the name, so encode back
+            sStorageUri = xStorageUri.getName().replace("%", "%25")
+            sStorageUri = sStorageUri.replace( "|", "/" )
 
             # path to the .py file, relative to the base
             sFileUri = sStorageUri[0:sStorageUri.find("$")]

More information about the Libreoffice-commits mailing list