This is an automated email from the ASF dual-hosted git repository.
ardovm pushed a commit to branch bug128453
in repository https://gitbox.apache.org/repos/asf/openoffice.git
commit b1ea03bf0eb0afec27d7d57290a24317f7e1d9ee
Author: Arrigo Marchiori <ard...@yahoo.it>
AuthorDate: Tue Jun 1 19:39:10 2021 +0200
Ask for confirmation only when the OS is involved
---
main/sfx2/source/appl/appopen.cxx | 88 ++++++++++++++++-----------------------
1 file changed, 35 insertions(+), 53 deletions(-)
diff --git a/main/sfx2/source/appl/appopen.cxx
b/main/sfx2/source/appl/appopen.cxx
index 44c3000..4b58708 100644
--- a/main/sfx2/source/appl/appopen.cxx
+++ b/main/sfx2/source/appl/appopen.cxx
@@ -930,58 +930,7 @@ void SfxApplication::OpenDocExec_Impl( SfxRequest& rReq )
INetProtocol aINetProtocol =
aINetURLObject.GetProtocol();
SvtExtendedSecurityOptions aExtendedSecurityOptions;
SvtExtendedSecurityOptions::OpenHyperlinkMode eMode =
aExtendedSecurityOptions.GetOpenHyperlinkMode();
- if ( eMode ==
SvtExtendedSecurityOptions::OPEN_WITHSECURITYCHECK )
- {
- /*!!! pb: #i49802# no security warning any longer
- ardovm: Restored security checks in March 2021 */
- // Check if file URL is a directory. This is not insecure!
- sal_Bool bIsDir = aINetURLObject.hasFinalSlash() ||
- ( osl::Directory(aURL.Main).open() ==
- osl::Directory::E_None );
- // Use SvtExtendedSecurityOptions::IsSecureHyperlink()
- // to check the extension of the link destination.
- sal_Bool bSafeExtension =
aExtendedSecurityOptions.IsSecureHyperlink(aURL.Complete);
- // We consider some protocols unsafe
- sal_Bool bUnsafeProtocol;
- switch (aINetProtocol) {
- case INET_PROT_HTTP:
- case INET_PROT_HTTPS:
- bSafeExtension = true; // trust the browser to prevent
unsafe extensions
- // case INET_PROT_FTP:
- case INET_PROT_VND_SUN_STAR_HELP:
- case INET_PROT_MAILTO:
- bUnsafeProtocol = false;
- break;
- default: // Anything else, including INET_PROT_FILE
- bUnsafeProtocol = true;
- break;
- }
- if ( (!bIsDir && !bSafeExtension) || bUnsafeProtocol )
- {
- // Security check for local files depending on the
extension
- vos::OGuard aGuard( Application::GetSolarMutex() );
- Window *pWindow = SFX_APP()->GetTopWindow();
-
- String aSecurityWarningBoxTitle( SfxResId(
RID_SECURITY_WARNING_TITLE ));
- WarningBox aSecurityWarningBox( pWindow, SfxResId(
RID_SECURITY_WARNING_HYPERLINK ));
- aSecurityWarningBox.SetText( aSecurityWarningBoxTitle );
-
- // Replace %s with the real file name
- String aMsgText = aSecurityWarningBox.GetMessText();
- String aMainURL( aURL.Main );
- String aFileNameInMsg;
-
- if (!utl::LocalFileHelper::ConvertURLToPhysicalName(
aMainURL, aFileNameInMsg )) {
- aFileNameInMsg = aMainURL;
- }
- aMsgText.SearchAndReplaceAscii( "%s", aFileNameInMsg );
- aSecurityWarningBox.SetMessText( aMsgText );
-
- if( aSecurityWarningBox.Execute() == RET_NO )
- return;
- }
- }
- else if ( eMode == SvtExtendedSecurityOptions::OPEN_NEVER &&
aINetProtocol != INET_PROT_VND_SUN_STAR_HELP )
+ if ( eMode == SvtExtendedSecurityOptions::OPEN_NEVER &&
aINetProtocol != INET_PROT_VND_SUN_STAR_HELP )
{
vos::OGuard aGuard( Application::GetSolarMutex() );
Window *pWindow = SFX_APP()->GetTopWindow();
@@ -1097,7 +1046,40 @@ void SfxApplication::OpenDocExec_Impl( SfxRequest& rReq )
if
(SFX_APP()->IsSecureURL(rtl::OUString(), &aReferer))
{
::rtl::OUString
aURLString( aURL.Complete );
-
+ // Before letting the OS execute the URL, we
may have to request for
+ // confirmation
+ if ( eMode ==
SvtExtendedSecurityOptions::OPEN_WITHSECURITYCHECK ) {
+ // Check if file URL is a directory. This
is not insecure!
+ sal_Bool bIsDir =
aINetURLObject.hasFinalSlash() ||
+ ( osl::Directory(aURL.Main).open() ==
+ osl::Directory::E_None );
+ // Use
SvtExtendedSecurityOptions::IsSecureHyperlink()
+ // to check the extension of the link
destination.
+ sal_Bool bSafeExtension =
aExtendedSecurityOptions.IsSecureHyperlink(aURL.Complete);
+ if (!bIsDir && !bSafeExtension) {
+ // Security check for local files
depending on the extension
+ vos::OGuard aGuard(
Application::GetSolarMutex() );
+ Window *pWindow =
SFX_APP()->GetTopWindow();
+
+ String aSecurityWarningBoxTitle(
SfxResId( RID_SECURITY_WARNING_TITLE ));
+ WarningBox aSecurityWarningBox(
pWindow, SfxResId( RID_SECURITY_WARNING_HYPERLINK ));
+ aSecurityWarningBox.SetText(
aSecurityWarningBoxTitle );
+
+ // Replace %s with the real file name
+ String aMsgText =
aSecurityWarningBox.GetMessText();
+ String aMainURL( aURL.Main );
+ String aFileNameInMsg;
+
+ if
(!utl::LocalFileHelper::ConvertURLToPhysicalName( aMainURL, aFileNameInMsg )) {
+ aFileNameInMsg = aMainURL;
+ }
+ aMsgText.SearchAndReplaceAscii( "%s",
aFileNameInMsg );
+ aSecurityWarningBox.SetMessText(
aMsgText );
+
+ if( aSecurityWarningBox.Execute() ==
RET_NO )
+ return;
+ }
+ }
try
{
// give
os this file
