avmedia/source/gstreamer/gstframegrabber.cxx | 14 +-
desktop/source/app/updater.cxx | 4
desktop/source/minidump/minidump.cxx | 4
extensions/source/update/check/download.cxx | 4
include/curlinit.hxx | 59
++++++++++
include/tools/urlobj.hxx | 5
lingucomponent/source/spellcheck/languagetool/languagetoolimp.cxx | 5
linguistic/source/translate.cxx | 4
sfx2/source/doc/iframe.cxx | 5
svl/source/crypto/cryptosign.cxx | 6 +
tools/source/fsys/urlobj.cxx | 8 +
ucb/source/ucp/cmis/cmis_content.cxx | 5
ucb/source/ucp/ftp/ftploaderthread.cxx | 4
ucb/source/ucp/webdav-curl/CurlSession.cxx | 2
14 files changed, 123 insertions(+), 6 deletions(-)
New commits:
commit 8a690465fc7df0f554252d437d0b50a9f5c0f7e7
Author: Caolán McNamara <caolan.mcnam...@collabora.com>
AuthorDate: Fri Nov 3 14:20:07 2023 +0000
Commit: Thorsten Behrens <thorsten.behr...@allotropia.de>
CommitDate: Sun Nov 12 02:11:25 2023 +0100
escape url passed to gstreamer
Change-Id: I3c93ee34800cc8563370f75ef3ef6f8a9220e6ec
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/158894
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
(cherry picked from commit f41dcadf6492a6ffd32696d50f818e44355b9ad9)
diff --git a/avmedia/source/gstreamer/gstframegrabber.cxx
b/avmedia/source/gstreamer/gstframegrabber.cxx
index 6f41511dc128..f8911ed7c9b3 100644
--- a/avmedia/source/gstreamer/gstframegrabber.cxx
+++ b/avmedia/source/gstreamer/gstframegrabber.cxx
@@ -50,11 +50,9 @@ void FrameGrabber::disposePipeline()
FrameGrabber::FrameGrabber( std::u16string_view rURL )
{
- gchar *pPipelineStr;
- pPipelineStr = g_strdup_printf(
- "uridecodebin uri=%s ! videoconvert ! videoscale ! appsink "
- "name=sink caps=\"video/x-raw,format=RGB,pixel-aspect-ratio=1/1\"",
- OUStringToOString( rURL, RTL_TEXTENCODING_UTF8 ).getStr() );
+ const char pPipelineStr[] =
+ "uridecodebin name=source ! videoconvert ! videoscale ! appsink "
+ "name=sink caps=\"video/x-raw,format=RGB,pixel-aspect-ratio=1/1\"";
GError *pError = nullptr;
mpPipeline = gst_parse_launch( pPipelineStr, &pError );
@@ -65,6 +63,12 @@ FrameGrabber::FrameGrabber( std::u16string_view rURL )
}
if( mpPipeline ) {
+
+ if (GstElement *pUriDecode = gst_bin_get_by_name(GST_BIN(mpPipeline),
"source"))
+ g_object_set(pUriDecode, "uri", OUStringToOString(rURL,
RTL_TEXTENCODING_UTF8).getStr(), nullptr);
+ else
+ g_warning("Missing 'source' element in gstreamer pipeline");
+
// pre-roll
switch( gst_element_set_state( mpPipeline, GST_STATE_PAUSED ) ) {
case GST_STATE_CHANGE_FAILURE:
commit dee219891fb19950a5ba0c55d3a6ddde2147bc5d
Author: Caolán McNamara <caolan.mcnam...@collabora.com>
AuthorDate: Fri Nov 3 17:14:26 2023 +0000
Commit: Thorsten Behrens <thorsten.behr...@allotropia.de>
CommitDate: Sun Nov 12 02:10:50 2023 +0100
add some protocols that don't make sense as floating frame targets
Change-Id: Id900a5eef248731d1184c1df501a2cf7a2de7eb9
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/158910
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolan.mcnam...@collabora.com>
(cherry picked from commit 11ebdfef16501c6d35c3e3d0d62507f706557c71)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/158900
Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
(cherry picked from commit bab433911bdecb344f7ea94dbd00690241a08c54)
diff --git a/include/tools/urlobj.hxx b/include/tools/urlobj.hxx
index 9d6820ddf241..dfd658722826 100644
--- a/include/tools/urlobj.hxx
+++ b/include/tools/urlobj.hxx
@@ -915,6 +915,11 @@ public:
void changeScheme(INetProtocol eTargetScheme);
+ // INetProtocol::Macro, INetProtocol::Uno, INetProtocol::Slot,
+ // vnd.sun.star.script, etc. All the types of URLs which shouldn't
+ // be accepted from an outside controlled source
+ bool IsExoticProtocol() const;
+
private:
// General Structure:
diff --git a/sfx2/source/doc/iframe.cxx b/sfx2/source/doc/iframe.cxx
index 507256aadf17..442913678e4c 100644
--- a/sfx2/source/doc/iframe.cxx
+++ b/sfx2/source/doc/iframe.cxx
@@ -169,8 +169,11 @@ sal_Bool SAL_CALL IFrameObject::load(
xTrans->parseStrict( aTargetURL );
INetURLObject aURLObject(aTargetURL.Complete);
- if (aURLObject.GetProtocol() == INetProtocol::Macro ||
aURLObject.isSchemeEqualTo(u"vnd.sun.star.script"))
+ if (aURLObject.IsExoticProtocol())
+ {
+ SAL_WARN("sfx", "IFrameObject::load ignoring: " <<
aTargetURL.Complete);
return false;
+ }
uno::Reference<frame::XFramesSupplier> xParentFrame =
xFrame->getCreator();
SfxObjectShell* pDoc = SfxMacroLoader::GetObjectShell(xParentFrame);
diff --git a/tools/source/fsys/urlobj.cxx b/tools/source/fsys/urlobj.cxx
index ae5e07797bc0..cb749863e9fb 100644
--- a/tools/source/fsys/urlobj.cxx
+++ b/tools/source/fsys/urlobj.cxx
@@ -4880,4 +4880,12 @@ OUString INetURLObject::CutExtension()
? aTheExtension : OUString();
}
+bool INetURLObject::IsExoticProtocol() const
+{
+ return m_eScheme == INetProtocol::Slot ||
+ m_eScheme == INetProtocol::Macro ||
+ m_eScheme == INetProtocol::Uno ||
+ isSchemeEqualTo(u"vnd.sun.star.script");
+}
+
/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
commit 2221f551716d0b0747e5dd63cdb88142bf0664eb
Author: Michael Stahl <michael.st...@allotropia.de>
AuthorDate: Fri Nov 3 20:16:09 2023 +0100
Commit: Thorsten Behrens <thorsten.behr...@allotropia.de>
CommitDate: Sun Nov 12 02:08:54 2023 +0100
curl: mitigate migration to OpenSSL on Linux
The problem is that curl 8.3.0 removed the NSS backend, so we now
have no other choice than to use the bundled OpenSSL on Linux.
Currently any curl https connection fails with:
CurlSession.cxx:963: curl_easy_perform failed: (60) SSL certificate
problem: unable to get local issuer certificate
Apparently this requires manually telling curl which CA certificates to
trust; there is a configure flag --with-ca-bundle but that is useless as
it tries to load the file relative to whatever is the current working
directory, and also did i mention that there are at least 3 different
locations where a Linux system may store its system trusted CA
certificates because ALL ABOUT CHOICE.
So add a new header with an init function to try out various file
locations listed in this nice blog article and call it from way too many
places that independently use curl.
https://www.happyassassin.net/posts/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/
TODO: perhaps bundle a cacert.pem as a fallback in case the system chose
to innovate by putting its certificates in yet another unexpected place
(regression from commit c2930ebff82c4f7ffe8377ab82627131f8544226)
Change-Id: Ibf1cc0069bc2ae011ecead9a4c2b455e94b01241
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/158915
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
(cherry picked from commit 3fc632c0261c75fb4079a5305e814698e791f75c)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159035
Reviewed-by: Thorsten Behrens <thorsten.behr...@allotropia.de>
(cherry picked from commit f5ce7ad845c00af284065bb6691d38b62deb91d8)
diff --git a/desktop/source/app/updater.cxx b/desktop/source/app/updater.cxx
index 92f060b976e2..7ff6234b4555 100644
--- a/desktop/source/app/updater.cxx
+++ b/desktop/source/app/updater.cxx
@@ -37,6 +37,8 @@
#include <orcus/json_document_tree.hpp>
#include <orcus/config.hpp>
#include <orcus/pstring.hpp>
+
+#include <curlinit.hxx>
#include <comphelper/hash.hxx>
#include <com/sun/star/container/XNameAccess.hpp>
@@ -546,6 +548,8 @@ std::string download_content(const OString& rURL, bool
bFile, OUString& rHash)
if (!curl)
return std::string();
+ ::InitCurl_easy(curl.get());
+
curl_easy_setopt(curl.get(), CURLOPT_URL, rURL.getStr());
curl_easy_setopt(curl.get(), CURLOPT_USERAGENT, kUserAgent);
bool bUseProxy = false;
diff --git a/desktop/source/minidump/minidump.cxx
b/desktop/source/minidump/minidump.cxx
index 0bf20f2aa419..7fbb0884987d 100644
--- a/desktop/source/minidump/minidump.cxx
+++ b/desktop/source/minidump/minidump.cxx
@@ -17,6 +17,8 @@
#include <curl/curl.h>
+#include <curlinit.hxx>
+
#ifdef _WIN32
#include <memory>
#include <windows.h>
@@ -95,6 +97,8 @@ static bool uploadContent(std::map<std::string, std::string>&
parameters, std::s
if (!curl)
return false;
+ ::InitCurl_easy(curl);
+
std::string proxy, proxy_user_pwd, ca_certificate_file, file, url, version;
getProperty("Proxy", proxy, parameters);
diff --git a/extensions/source/update/check/download.cxx
b/extensions/source/update/check/download.cxx
index 8f090ed9b6dd..2124ee5a0512 100644
--- a/extensions/source/update/check/download.cxx
+++ b/extensions/source/update/check/download.cxx
@@ -23,6 +23,8 @@
#include <curl/curl.h>
+#include <curlinit.hxx>
+
#include <o3tl/string_view.hxx>
#include <osl/diagnose.h>
#include <osl/file.h>
@@ -222,6 +224,8 @@ static bool curl_run(std::u16string_view rURL, OutData&
out, const OString& aPro
if( nullptr != pCURL )
{
+ ::InitCurl_easy(pCURL);
+
out.curl = pCURL;
OString aURL(OUStringToOString(rURL, RTL_TEXTENCODING_UTF8));
diff --git a/include/curlinit.hxx b/include/curlinit.hxx
new file mode 100644
index 000000000000..8b3a9968419d
--- /dev/null
+++ b/include/curlinit.hxx
@@ -0,0 +1,59 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4;
fill-column: 100 -*- */
+/*
+ * This file is part of the LibreOffice project.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+#pragma once
+
+#include <curl/curl.h>
+
+#if defined(LINUX) && !defined(SYSTEM_CURL)
+#include <com/sun/star/uno/RuntimeException.hpp>
+
+#include <unistd.h>
+
+static char const* GetCABundleFile()
+{
+ // try system ones first; inspired by:
+ //
https://www.happyassassin.net/posts/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/
+ auto const candidates = {
+ "/etc/pki/tls/certs/ca-bundle.crt",
+ "/etc/pki/tls/certs/ca-bundle.trust.crt",
+ "/etc/ssl/certs/ca-certificates.crt",
+ "/var/lib/ca-certificates/ca-bundle.pem",
+ };
+ for (char const* const candidate : candidates)
+ {
+ if (access(candidate, R_OK) == 0)
+ {
+ return candidate;
+ }
+ }
+
+ throw css::uno::RuntimeException("no OpenSSL CA certificate bundle found");
+}
+
+static void InitCurl_easy(CURL* const pCURL)
+{
+ char const* const path = GetCABundleFile();
+ auto rc = curl_easy_setopt(pCURL, CURLOPT_CAINFO, path);
+ if (rc != CURLE_OK) // only if OOM?
+ {
+ throw css::uno::RuntimeException("CURLOPT_CAINFO failed");
+ }
+}
+
+#else
+
+static void InitCurl_easy(CURL* const)
+{
+ // these don't use OpenSSL so CAs work out of the box
+}
+
+#endif
+
+/* vim:set shiftwidth=4 softtabstop=4 expandtab cinoptions=b1,g0,N-s
cinkeys+=0=break: */
diff --git a/lingucomponent/source/spellcheck/languagetool/languagetoolimp.cxx
b/lingucomponent/source/spellcheck/languagetool/languagetoolimp.cxx
index 7152a6ff0880..c5062b84fbe7 100644
--- a/lingucomponent/source/spellcheck/languagetool/languagetoolimp.cxx
+++ b/lingucomponent/source/spellcheck/languagetool/languagetoolimp.cxx
@@ -41,6 +41,9 @@
#include <boost/property_tree/json_parser.hpp>
#include <algorithm>
#include <string_view>
+
+#include <curlinit.hxx>
+
#include <sal/log.hxx>
#include <tools/color.hxx>
#include <tools/long.hxx>
@@ -128,6 +131,8 @@ std::string makeHttpRequest_impl(std::u16string_view aURL,
HTTP_METHOD method,
return {}; // empty string
}
+ ::InitCurl_easy(curl.get());
+
// Same useragent string as in CurlSession
(ucp/webdav-curl/CurlSession.cxx)
curl_version_info_data const* const
pVersion(curl_version_info(CURLVERSION_NOW));
assert(pVersion);
diff --git a/linguistic/source/translate.cxx b/linguistic/source/translate.cxx
index 12f5491e2129..fdd95fca2988 100644
--- a/linguistic/source/translate.cxx
+++ b/linguistic/source/translate.cxx
@@ -4,6 +4,7 @@
#include <rtl/string.h>
#include <boost/property_tree/ptree.hpp>
#include <boost/property_tree/json_parser.hpp>
+#include <curlinit.hxx>
#include <vcl/htmltransferable.hxx>
#include <tools/long.hxx>
@@ -16,6 +17,9 @@ OString Translate(const OString& rTargetLang, const OString&
rAPIUrl, const OStr
std::unique_ptr<CURL, std::function<void(CURL*)>> curl(curl_easy_init(),
[](CURL* p) {
curl_easy_cleanup(p); });
+
+ ::InitCurl_easy(curl.get());
+
(void)curl_easy_setopt(curl.get(), CURLOPT_URL, rAPIUrl.getStr());
(void)curl_easy_setopt(curl.get(), CURLOPT_FAILONERROR, 1L);
(void)curl_easy_setopt(curl.get(), CURLOPT_TIMEOUT, CURL_TIMEOUT);
diff --git a/svl/source/crypto/cryptosign.cxx b/svl/source/crypto/cryptosign.cxx
index e68ccb8aafda..378a62f1ea56 100644
--- a/svl/source/crypto/cryptosign.cxx
+++ b/svl/source/crypto/cryptosign.cxx
@@ -15,6 +15,10 @@
#include <svl/sigstruct.hxx>
#include <config_crypto.h>
+#if USE_CRYPTO_NSS
+#include <curlinit.hxx>
+#endif
+
#include <rtl/character.hxx>
#include <rtl/strbuf.hxx>
#include <rtl/string.hxx>
@@ -1086,6 +1090,8 @@ bool Signing::Sign(OStringBuffer& rCMSHexBuffer)
return false;
}
+ ::InitCurl_easy(curl);
+
SAL_INFO("svl.crypto", "Setting curl to verbose: " <<
(curl_easy_setopt(curl, CURLOPT_VERBOSE, 1) == CURLE_OK ? "OK" : "FAIL"));
if ((rc = curl_easy_setopt(curl, CURLOPT_URL,
OUStringToOString(m_aSignTSA, RTL_TEXTENCODING_UTF8).getStr())) != CURLE_OK)
diff --git a/ucb/source/ucp/cmis/cmis_content.cxx
b/ucb/source/ucp/cmis/cmis_content.cxx
index a9781c233054..52c4769e474b 100644
--- a/ucb/source/ucp/cmis/cmis_content.cxx
+++ b/ucb/source/ucp/cmis/cmis_content.cxx
@@ -56,6 +56,8 @@
#include <ucbhelper/proxydecider.hxx>
#include <ucbhelper/macros.hxx>
#include <sax/tools/converter.hxx>
+#include <curlinit.hxx>
+
#include <utility>
#include "auth_provider.hxx"
@@ -335,6 +337,9 @@ namespace cmis
new CertValidationHandler( xEnv, m_xContext,
aBindingUrl.GetHost( ) ) );
libcmis::SessionFactory::setCertificateValidationHandler(
certHandler );
+ // init libcurl callback
+
libcmis::SessionFactory::setCurlInitProtocolsFunction(&::InitCurl_easy);
+
// Get the auth credentials
AuthProvider aAuthProvider(xEnv,
m_xIdentifier->getContentIdentifier(), m_aURL.getBindingUrl());
AuthProvider::setXEnv( xEnv );
diff --git a/ucb/source/ucp/ftp/ftploaderthread.cxx
b/ucb/source/ucp/ftp/ftploaderthread.cxx
index f5ebfe36cdda..91130fc1bc9c 100644
--- a/ucb/source/ucp/ftp/ftploaderthread.cxx
+++ b/ucb/source/ucp/ftp/ftploaderthread.cxx
@@ -25,6 +25,8 @@
#include "ftploaderthread.hxx"
#include "curl.hxx"
+#include <curlinit.hxx>
+
using namespace ftp;
@@ -75,6 +77,8 @@ CURL* FTPLoaderThread::handle() {
if(!ret) {
ret = curl_easy_init();
if (ret != nullptr) {
+ ::InitCurl_easy(ret);
+
// Make sure curl is not internally using environment variables
like
// "ftp_proxy":
if (curl_easy_setopt(ret, CURLOPT_PROXY, "") != CURLE_OK) {
diff --git a/ucb/source/ucp/webdav-curl/CurlSession.cxx
b/ucb/source/ucp/webdav-curl/CurlSession.cxx
index ac924beb2e17..f046395a668e 100644
--- a/ucb/source/ucp/webdav-curl/CurlSession.cxx
+++ b/ucb/source/ucp/webdav-curl/CurlSession.cxx
@@ -35,6 +35,7 @@
#include <rtl/uri.hxx>
#include <rtl/strbuf.hxx>
#include <rtl/ustrbuf.hxx>
+#include <curlinit.hxx>
#include <config_version.h>
#include <map>
@@ -680,6 +681,7 @@
CurlSession::CurlSession(uno::Reference<uno::XComponentContext> xContext,
assert(rc == CURLE_OK);
rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_HEADERFUNCTION,
&header_callback);
assert(rc == CURLE_OK);
+ ::InitCurl_easy(m_pCurl.get());
// tdf#149921 by default, with schannel (WNT) connection fails if
revocation
// lists cannot be checked; try to limit the checking to when revocation
// lists can actually be retrieved (usually not the case for self-signed
CA)
