desktop/source/app/updater.cxx | 2 +
extensions/source/update/check/download.cxx | 2 +
external/curl/ExternalProject_curl.mk | 13 +++++++----
external/curl/UnpackedTarball_curl.mk | 1
external/curl/curl-msvc-disable-protocols.patch.1 | 24 ++++++++++++++++++++++
external/libcmis/UnpackedTarball_cmis.mk | 1
external/libcmis/libcmis-curl-redirects.patch.1 | 24 ++++++++++++++++++++++
7 files changed, 62 insertions(+), 5 deletions(-)
New commits:
commit e845507bc22a166ec172a4b4d9da120a16f8a964
Author: Michael Stahl <mst...@redhat.com>
Date: Wed Aug 9 17:53:44 2017 +0200
libcmis: configure curl to only allow redirects to HTTP/HTTPS
Change-Id: I77e90ca955dc1249d259bf01cb107d5b317d8045
diff --git a/external/libcmis/UnpackedTarball_cmis.mk
b/external/libcmis/UnpackedTarball_cmis.mk
index a29b1e7cd6f8..a993e9fc111e 100644
--- a/external/libcmis/UnpackedTarball_cmis.mk
+++ b/external/libcmis/UnpackedTarball_cmis.mk
@@ -20,6 +20,7 @@ $(eval $(call gb_UnpackedTarball_add_patches,cmis, \
external/libcmis/libcmis-fix-google-drive-2.patch \
external/libcmis/libcmis-sharepoint-repository-root.patch \
external/libcmis/libcmis-fix-error-handling.patch \
+
external/libcmis/libcmis-curl-redirects.patch.1 \
))
ifeq ($(OS),WNT)
diff --git a/external/libcmis/libcmis-curl-redirects.patch.1
b/external/libcmis/libcmis-curl-redirects.patch.1
new file mode 100644
index 000000000000..a429598543dc
--- /dev/null
+++ b/external/libcmis/libcmis-curl-redirects.patch.1
@@ -0,0 +1,24 @@
+configure curl to only allow redirects to HTTP/HTTPS
+
+--- cmis/src/libcmis/http-session.cxx.orig 2017-08-09 17:39:11.686928636
+0200
++++ cmis/src/libcmis/http-session.cxx 2017-08-09 17:40:10.398933383 +0200
+@@ -525,6 +525,8 @@
+ {
+ // Redirect
+ curl_easy_setopt( m_curlHandle, CURLOPT_FOLLOWLOCATION, redirect);
++ // only allow redirect to http:// and https://
++ curl_easy_setopt(m_curlHandle, CURLOPT_REDIR_PROTOCOLS, CURLPROTO_HTTP |
CURLPROTO_HTTPS);
+
+ // Activate the cookie engine
+ curl_easy_setopt( m_curlHandle, CURLOPT_COOKIEFILE, "" );
+--- cmis/src/libcmis/sharepoint-session.cxx.orig 2017-08-09
17:39:19.974929306 +0200
++++ cmis/src/libcmis/sharepoint-session.cxx 2017-08-09 17:39:42.500931127
+0200
+@@ -204,6 +204,8 @@
+ {
+ // Redirect
+ curl_easy_setopt( m_curlHandle, CURLOPT_FOLLOWLOCATION, redirect);
++ // only allow redirect to http:// and https://
++ curl_easy_setopt(m_curlHandle, CURLOPT_REDIR_PROTOCOLS, CURLPROTO_HTTP |
CURLPROTO_HTTPS);
+
+ // Activate the cookie engine
+ curl_easy_setopt( m_curlHandle, CURLOPT_COOKIEFILE, "" );
commit bd60bbfbdfbeb2687297e4512ddbea62a394ae67
Author: Michael Stahl <mst...@redhat.com>
Date: Wed Aug 9 17:38:14 2017 +0200
desktop,extensions: updater: only allow redirects to HTTP/HTTPS
Configure curl to prevent redirects to other protocols.
Change-Id: Ied73b3d9a062ea6e0a1d594f4c12162dffd6c4a7
diff --git a/desktop/source/app/updater.cxx b/desktop/source/app/updater.cxx
index 7e328a1a68d3..f855a15672a0 100644
--- a/desktop/source/app/updater.cxx
+++ b/desktop/source/app/updater.cxx
@@ -512,6 +512,8 @@ std::string download_content(const OString& rURL, bool
bFile, OUString& rHash)
headerlist = curl_slist_append(headerlist, buf);
curl_easy_setopt(curl, CURLOPT_HTTPHEADER, headerlist);
curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, 1); // follow redirects
+ // only allow redirect to http:// and https://
+ curl_easy_setopt(curl, CURLOPT_REDIR_PROTOCOLS, CURLPROTO_HTTP |
CURLPROTO_HTTPS);
std::string response_body;
utl::TempFile aTempFile;
diff --git a/extensions/source/update/check/download.cxx
b/extensions/source/update/check/download.cxx
index 4e557f02a8f1..7bc20f874f89 100644
--- a/extensions/source/update/check/download.cxx
+++ b/extensions/source/update/check/download.cxx
@@ -235,6 +235,8 @@ bool curl_run(const OUString& rURL, OutData& out, const
OString& aProxyHost, sal
// enable redirection
curl_easy_setopt(pCURL, CURLOPT_FOLLOWLOCATION, 1);
+ // only allow redirect to http:// and https://
+ curl_easy_setopt(pCURL, CURLOPT_REDIR_PROTOCOLS, CURLPROTO_HTTP |
CURLPROTO_HTTPS);
// write function
curl_easy_setopt(pCURL, CURLOPT_WRITEDATA, &out);
commit 152a1d279cbc81e7b5f076a2c4b20c12c6929ce6
Author: Michael Stahl <mst...@redhat.com>
Date: Wed Aug 9 16:52:18 2017 +0200
curl: disable protocols nobody needs in MSVC build
These are disabled via configure on other platforms.
Change-Id: I4e27865396f3817ceb5645ab8589c21fdaa5afab
diff --git a/external/curl/UnpackedTarball_curl.mk
b/external/curl/UnpackedTarball_curl.mk
index de252469fcc2..5eba91f73f17 100644
--- a/external/curl/UnpackedTarball_curl.mk
+++ b/external/curl/UnpackedTarball_curl.mk
@@ -19,6 +19,7 @@ $(eval $(call gb_UnpackedTarball_fix_end_of_line,curl,\
$(eval $(call gb_UnpackedTarball_add_patches,curl,\
external/curl/curl-msvc.patch.1 \
+ external/curl/curl-msvc-disable-protocols.patch.1 \
external/curl/curl-msvc-schannel.patch.1 \
external/curl/curl-7.26.0_win-proxy.patch \
))
diff --git a/external/curl/curl-msvc-disable-protocols.patch.1
b/external/curl/curl-msvc-disable-protocols.patch.1
new file mode 100644
index 000000000000..38ff5ccb5ac0
--- /dev/null
+++ b/external/curl/curl-msvc-disable-protocols.patch.1
@@ -0,0 +1,24 @@
+disable protocols nobody needs in MSVC build
+
+--- curl/lib/config-win32.h.orig 2017-08-09 16:43:29.464000000 +0200
++++ curl/lib/config-win32.h 2017-08-09 16:47:38.549200000 +0200
+@@ -733,4 +733,19 @@
+ # define ENABLE_IPV6 1
+ #endif
+
++#define CURL_DISABLE_DICT 1
++#define CURL_DISABLE_FILE 1
++//#undef CURL_DISABLE_FTP
++#define CURL_DISABLE_GOPHER 1
++//#undef CURL_DISABLE_HTTP
++#define CURL_DISABLE_IMAP 1
++#define CURL_DISABLE_LDAP 1
++#define CURL_DISABLE_LDAPS 1
++#define CURL_DISABLE_POP3 1
++#define CURL_DISABLE_RTSP 1
++#define CURL_DISABLE_SMB 1
++#define CURL_DISABLE_SMTP 1
++#define CURL_DISABLE_TELNET 1
++#define CURL_DISABLE_TFTP 1
++
+ #endif /* HEADER_CURL_CONFIG_WIN32_H */
commit 9fd26734d3cbbd9b58f4b08058a75063632f57d1
Author: Michael Stahl <mst...@redhat.com>
Date: Wed Aug 9 17:14:11 2017 +0200
curl: disable more unnecessary stuff
Only HTTP and FTP should be required.
Add --without-libpsl --disable-ares --disable-rtsp --disable-smb,
and --without-libidn was replaced with --without-libidn2.
Change-Id: Icf6afc8bff4cc7ad7a5a95b0c3f9a345a7cf67a3
diff --git a/external/curl/ExternalProject_curl.mk
b/external/curl/ExternalProject_curl.mk
index 70de689dd0c7..73fd1ac63591 100644
--- a/external/curl/ExternalProject_curl.mk
+++ b/external/curl/ExternalProject_curl.mk
@@ -46,11 +46,14 @@ $(call gb_ExternalProject_get_state_target,curl,build):
--with-darwinssl,\
$(if $(ENABLE_NSS),--with-nss$(if
$(SYSTEM_NSS),,="$(call
gb_UnpackedTarball_get_dir,nss)/dist/out"),--without-nss)) \
--without-ssl --without-gnutls --without-polarssl
--without-cyassl --without-axtls \
- --without-libidn --enable-ftp --enable-ipv6
--enable-http --disable-gopher \
- --disable-file --disable-ldap --disable-telnet
--disable-dict --without-libssh2 \
- --without-librtmp --disable-ldaps --disable-tftp
--disable-pop3 \
- --disable-imap --disable-smtp --disable-manual
--without-metalink \
- --without-nghttp2 \
+ --enable-ftp --enable-http --enable-ipv6 \
+ --without-libidn2 --without-libpsl --without-librtmp \
+ --without-libssh2 --without-metalink --without-nghttp2 \
+ --disable-ares \
+ --disable-dict --disable-file --disable-gopher
--disable-imap \
+ --disable-ldap --disable-ldaps --disable-manual
--disable-pop3 \
+ --disable-rtsp --disable-smb --disable-smtp
--disable-telnet \
+ --disable-tftp \
$(if $(filter LINUX,$(OS)),--without-ca-bundle
--without-ca-path) \
$(if $(CROSS_COMPILING),--build=$(BUILD_PLATFORM)
--host=$(HOST_PLATFORM)) \
$(if $(filter
TRUE,$(DISABLE_DYNLOADING)),--disable-shared,--disable-static) \
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
