Skip to content

Commit

Permalink
Add a "referer" property to SfxObjectShell::CallXScript() and trust m…
Browse files Browse the repository at this point in the history
…acros explicitly requested by the user
  • Loading branch information
ardovm committed Jan 28, 2023
1 parent 98c68b9 commit 9112548
Show file tree
Hide file tree
Showing 5 changed files with 35 additions and 8 deletions.
2 changes: 1 addition & 1 deletion main/filter/source/msfilter/msvbahelper.cxx
Original file line number Diff line number Diff line change
Expand Up @@ -439,7 +439,7 @@ sal_Bool executeMacro( SfxObjectShell* pShell, const String& sMacroName, uno::Se
if ( pShell )
{
nErr = pShell->CallXScript( sUrl,
aArgs, aRet, aOutArgsIndex, aOutArgs, false );
aArgs, aRet, aOutArgsIndex, aOutArgs, ::rtl::OUString(), false );
sal_Int32 nLen = aOutArgs.getLength();
// convert any out params to seem like they were inouts
if ( nLen )
Expand Down
2 changes: 1 addition & 1 deletion main/scripting/source/vbaevents/eventhelper.cxx
Original file line number Diff line number Diff line change
Expand Up @@ -975,7 +975,7 @@ EventListener::firing_Impl(const ScriptEvent& evt, Any* /*pRet*/ ) throw(Runtime
{
uno::Any aRet;
mpShell->CallXScript( url,
aArguments, aRet, aOutArgsIndex, aOutArgs, false );
aArguments, aRet, aOutArgsIndex, aOutArgs, ::rtl::OUString(), false );
}
}
catch ( uno::Exception& e )
Expand Down
23 changes: 23 additions & 0 deletions main/sfx2/inc/sfx2/objsh.hxx
Original file line number Diff line number Diff line change
Expand Up @@ -369,22 +369,45 @@ public:
ErrCode CallBasic( const String& rMacro, const String& rBasicName,
SbxArray* pArgs = 0, SbxValue* pRet = 0 );

/** Execute a script URL.
*
* @param rScriptURL URL of the script.
* @param aParams parameters for the macro.
* @param aRet variable that will hold the return value.
* @param aOutParamIndex index of output parameters.
* @param aOutParam output parameters.
* @param aReferer "Referer" calling the script.
* @param bRaiseError true to show a dialog in case of error.
*/
ErrCode CallXScript(
const String& rScriptURL,
const ::com::sun::star::uno::Sequence< ::com::sun::star::uno::Any >& aParams,
::com::sun::star::uno::Any& aRet,
::com::sun::star::uno::Sequence< sal_Int16 >& aOutParamIndex,
::com::sun::star::uno::Sequence< ::com::sun::star::uno::Any >& aOutParam,
const ::rtl::OUString& aReferer = ::rtl::OUString(),
bool bRaiseError = true
);

/** Execute a script URL.
*
* @param _rxScriptContext script context.
* @param rScriptURL URL of the script.
* @param aParams parameters for the macro.
* @param aRet variable that will hold the return value.
* @param aOutParamIndex index of output parameters.
* @param aOutParam output parameters.
* @param aReferer "Referer" calling the script.
* @param bRaiseError true to show a dialog in case of error.
*/
static ErrCode CallXScript(
const ::com::sun::star::uno::Reference< ::com::sun::star::uno::XInterface >& _rxScriptContext,
const ::rtl::OUString& rScriptURL,
const ::com::sun::star::uno::Sequence< ::com::sun::star::uno::Any >& aParams,
::com::sun::star::uno::Any& aRet,
::com::sun::star::uno::Sequence< sal_Int16 >& aOutParamIndex,
::com::sun::star::uno::Sequence< ::com::sun::star::uno::Any >& aOutParam,
const ::rtl::OUString& aReferer = ::rtl::OUString(),
bool bRaiseError = true
);

Expand Down
3 changes: 2 additions & 1 deletion main/sfx2/source/appl/appserv.cxx
Original file line number Diff line number Diff line change
Expand Up @@ -1037,7 +1037,8 @@ void SfxApplication::OfaExec_Impl( SfxRequest& rReq )
if ( !xScriptContext.is() )
xScriptContext = xController;

SfxObjectShell::CallXScript( xScriptContext, pDlg->GetScriptURL(), args, ret, outIndex, outArgs );
SfxObjectShell::CallXScript( xScriptContext, pDlg->GetScriptURL(), args, ret, outIndex, outArgs,
::rtl::OUString( RTL_CONSTASCII_USTRINGPARAM( "private:user" ) ) );
}
while ( false );
rReq.Done();
Expand Down
13 changes: 8 additions & 5 deletions main/sfx2/source/doc/objmisc.cxx
Original file line number Diff line number Diff line change
Expand Up @@ -1697,21 +1697,23 @@ namespace
}

ErrCode SfxObjectShell::CallXScript( const Reference< XInterface >& _rxScriptContext, const ::rtl::OUString& _rScriptURL,
const Sequence< Any >& aParams, Any& aRet, Sequence< sal_Int16 >& aOutParamIndex, Sequence< Any >& aOutParam, bool bRaiseError )
const Sequence< Any >& aParams, Any& aRet, Sequence< sal_Int16 >& aOutParamIndex, Sequence< Any >& aOutParam,
const ::rtl::OUString& aReferer, bool bRaiseError )
{
OSL_TRACE( "in CallXScript" );
ErrCode nErr = ERRCODE_NONE;

bool bCaughtException = false;
Any aException;
bool bRefererIsTrusted = ( aReferer.compareToAscii("private:", 8) == 0 );
try
{
uno::Reference< lang::XMultiServiceFactory > xServiceManager( ::comphelper::getProcessServiceFactory(), uno::UNO_SET_THROW );
Reference< uri::XUriReferenceFactory > xFac (
xServiceManager->createInstance( rtl::OUString::createFromAscii(
"com.sun.star.uri.UriReferenceFactory") ) , UNO_QUERY_THROW );
Reference< uri::XVndSunStarScriptUrlReference > xScriptUri( xFac->parse( _rScriptURL ), UNO_QUERY_THROW );
if ( !lcl_isScriptAccessAllowed_nothrow( _rxScriptContext ) )
if ( !bRefererIsTrusted && !lcl_isScriptAccessAllowed_nothrow( _rxScriptContext ) )
return ERRCODE_IO_ACCESSDENIED;

// obtain/create a script provider
Expand Down Expand Up @@ -1765,10 +1767,11 @@ ErrCode SfxObjectShell::CallXScript( const String& rScriptURL,
aParams,
::com::sun::star::uno::Any& aRet,
::com::sun::star::uno::Sequence< sal_Int16 >& aOutParamIndex,
::com::sun::star::uno::Sequence< ::com::sun::star::uno::Any >& aOutParam
, bool bRaiseError )
::com::sun::star::uno::Sequence< ::com::sun::star::uno::Any >& aOutParam,
const ::rtl::OUString& aReferer,
bool bRaiseError )
{
return CallXScript( GetModel(), rScriptURL, aParams, aRet, aOutParamIndex, aOutParam, bRaiseError );
return CallXScript( GetModel(), rScriptURL, aParams, aRet, aOutParamIndex, aOutParam, aReferer, bRaiseError );
}

//-------------------------------------------------------------------------
Expand Down

0 comments on commit 9112548

Please sign in to comment.