mirror of
https://abf.rosa.ru/djam/libreoffice.git
synced 2025-02-23 18:43:00 +00:00
36 lines
1.4 KiB
Diff
36 lines
1.4 KiB
Diff
Description: Explictly exclude LibreLogo from XScript usage
|
|
Author: Caolán McNamara <caolanm@redhat.com>
|
|
Upstream Commit: https://cgit.freedesktop.org/libreoffice/core/commit/?id=cb0024e3668979dfdef44db5aa15ddfaf035e695
|
|
Bug: https://www.libreoffice.org/about-us/security/advisories/cve-2019-9848/
|
|
|
|
diff --git a/sfx2/source/doc/objmisc.cxx b/sfx2/source/doc/objmisc.cxx
|
|
index a5e62da8c..02d79c356 100644
|
|
--- a/sfx2/source/doc/objmisc.cxx
|
|
+++ b/sfx2/source/doc/objmisc.cxx
|
|
@@ -1347,6 +1347,16 @@ namespace
|
|
}
|
|
}
|
|
|
|
+namespace {
|
|
+
|
|
+// don't allow LibreLogo to be used with our mouseover/etc dom-alike events
|
|
+bool UnTrustedScript(const OUString& rScriptURL)
|
|
+{
|
|
+ return rScriptURL.startsWithIgnoreAsciiCase("vnd.sun.star.script:LibreLogo");
|
|
+}
|
|
+
|
|
+}
|
|
+
|
|
ErrCode SfxObjectShell::CallXScript( const Reference< XInterface >& _rxScriptContext, const OUString& _rScriptURL,
|
|
const Sequence< Any >& aParams, Any& aRet, Sequence< sal_Int16 >& aOutParamIndex, Sequence< Any >& aOutParam, bool bRaiseError, const css::uno::Any* pCaller )
|
|
{
|
|
@@ -1359,6 +1369,9 @@ ErrCode SfxObjectShell::CallXScript( const Reference< XInterface >& _rxScriptCon
|
|
if ( bIsDocumentScript && !lcl_isScriptAccessAllowed_nothrow( _rxScriptContext ) )
|
|
return ERRCODE_IO_ACCESSDENIED;
|
|
|
|
+ if ( UnTrustedScript(_rScriptURL) )
|
|
+ return ERRCODE_IO_ACCESSDENIED;
|
|
+
|
|
bool bCaughtException = false;
|
|
Any aException;
|
|
try
|