officecfg,*: add Office::Security::Net::AllowInsecureProtocols

By default, unencrypted network connections are allowed. But now it can be disabled, for everything that uses libcurl. Change-Id: I8e103f5a968ace2a19fdb9d6934c9a51b2aeabe4 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159011 Tested-by: Jenkins Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
author: Michael Stahl <michael.stahl@allotropia.de> 2023-11-06 18:11:42 +0100
committer: Michael Stahl <michael.stahl@allotropia.de> 2023-11-09 16:51:31 +0100
commit: 5365daf67f8b81f69a47e3692a71fd3962505e46 (patch)
tree: 573034fb9183193080782f119c9599b3396dcb97
parent: c32bf48b7446808ffc47472021ec32cb7c70eea7 (diff)
9 files changed, 75 insertions, 16 deletions
diff --git a/desktop/Library_crashreport.mk b/desktop/Library_crashreport.mk
index ba267e212974..c00814c82cee 100644
--- a/desktop/Library_crashreport.mk
+++ b/desktop/Library_crashreport.mk
@@ -31,6 +31,10 @@ $(eval $(call gb_Library_add_libs,crashreport,\
 
 $(eval $(call gb_Library_use_sdk_api,crashreport))
 
+$(eval $(call gb_Library_use_custom_headers,crashreport,\
+	officecfg/registry \
+))
+
 $(eval $(call gb_Library_use_libraries,crashreport,\
     comphelper \
     cppu \
diff --git a/extensions/Library_updchk.mk b/extensions/Library_updchk.mk
index 7088efa2c37b..85c0293231fa 100644
--- a/extensions/Library_updchk.mk
+++ b/extensions/Library_updchk.mk
@@ -18,6 +18,10 @@ $(eval $(call gb_Library_set_include,updchk,\
 
 $(eval $(call gb_Library_use_sdk_api,updchk))
 
+$(eval $(call gb_Library_use_custom_headers,updchk,\
+	officecfg/registry \
+))
+
 $(eval $(call gb_Library_use_libraries,updchk,\
 	comphelper \
 	cppuhelper \
diff --git a/include/curlinit.hxx b/include/curlinit.hxx
index 8b3a9968419d..14f660b41efa 100644
--- a/include/curlinit.hxx
+++ b/include/curlinit.hxx
@@ -11,6 +11,8 @@
 
 #include <curl/curl.h>
 
+#include <officecfg/Office/Security.hxx>
+
 #if defined(LINUX) && !defined(SYSTEM_CURL)
 #include <com/sun/star/uno/RuntimeException.hpp>
 
@@ -36,24 +38,33 @@ static char const* GetCABundleFile()
 
     throw css::uno::RuntimeException("no OpenSSL CA certificate bundle found");
 }
+#endif
 
 static void InitCurl_easy(CURL* const pCURL)
 {
+    CURLcode rc;
+    (void)rc;
+
+#if defined(LINUX) && !defined(SYSTEM_CURL)
     char const* const path = GetCABundleFile();
-    auto rc = curl_easy_setopt(pCURL, CURLOPT_CAINFO, path);
+    rc = curl_easy_setopt(pCURL, CURLOPT_CAINFO, path);
     if (rc != CURLE_OK) // only if OOM?
     {
         throw css::uno::RuntimeException("CURLOPT_CAINFO failed");
     }
-}
-
-#else
+#endif
 
-static void InitCurl_easy(CURL* const)
-{
-    // these don't use OpenSSL so CAs work out of the box
+    if (!officecfg::Office::Security::Net::AllowInsecureProtocols::get())
+    {
+        rc = curl_easy_setopt(pCURL, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
+        assert(rc == CURLE_OK);
+        rc = curl_easy_setopt(pCURL, CURLOPT_PROXY_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
+        assert(rc == CURLE_OK);
+        rc = curl_easy_setopt(pCURL, CURLOPT_PROTOCOLS_STR, "https");
+        assert(rc == CURLE_OK);
+        rc = curl_easy_setopt(pCURL, CURLOPT_REDIR_PROTOCOLS_STR, "https");
+        assert(rc == CURLE_OK);
+    }
 }
 
-#endif
-
 /* vim:set shiftwidth=4 softtabstop=4 expandtab cinoptions=b1,g0,N-s cinkeys+=0=break: */
diff --git a/linguistic/Library_lng.mk b/linguistic/Library_lng.mk
index 49c37b807685..4991163ed070 100644
--- a/linguistic/Library_lng.mk
+++ b/linguistic/Library_lng.mk
@@ -28,6 +28,10 @@ $(eval $(call gb_Library_set_include,lng,\
 
 $(eval $(call gb_Library_use_sdk_api,lng))
 
+$(eval $(call gb_Library_use_custom_headers,lng,\
+	officecfg/registry \
+))
+
 $(eval $(call gb_Library_add_defs,lng,\
 	-DLNG_DLLIMPLEMENTATION \
 ))
diff --git a/officecfg/registry/schema/org/openoffice/Office/Security.xcs b/officecfg/registry/schema/org/openoffice/Office/Security.xcs
index f474df6def51..4cb9073012f5 100644
--- a/officecfg/registry/schema/org/openoffice/Office/Security.xcs
+++ b/officecfg/registry/schema/org/openoffice/Office/Security.xcs
@@ -44,5 +44,16 @@
         <value>true</value>
       </prop>
     </group>
+    <group oor:name="Net">
+      <info>
+        <desc>Specifies how secure hyperlinks are processed.</desc>
+      </info>
+      <prop oor:name="AllowInsecureProtocols" oor:type="xs:boolean" oor:nillable="false">
+        <info>
+          <desc>Allow using insecure and/or unencrypted protocols such as HTTP, SMTP, FTP.</desc>
+        </info>
+        <value>true</value>
+      </prop>
+    </group>
   </component>
 </oor:component-schema>
diff --git a/ucb/Library_ucpcmis1.mk b/ucb/Library_ucpcmis1.mk
index f18f9e04aad5..707d9ff604a4 100644
--- a/ucb/Library_ucpcmis1.mk
+++ b/ucb/Library_ucpcmis1.mk
@@ -14,6 +14,10 @@ $(eval $(call gb_Library_set_componentfile,ucpcmis1,ucb/source/ucp/cmis/ucpcmis1
 
 $(eval $(call gb_Library_use_sdk_api,ucpcmis1))
 
+$(eval $(call gb_Library_use_custom_headers,ucpcmis1,\
+	officecfg/registry \
+))
+
 $(eval $(call gb_Library_use_libraries,ucpcmis1,\
 	comphelper \
 	cppu \
diff --git a/ucb/Library_ucpftp1.mk b/ucb/Library_ucpftp1.mk
index af8eda87f558..a6ac6c69f69b 100644
--- a/ucb/Library_ucpftp1.mk
+++ b/ucb/Library_ucpftp1.mk
@@ -16,6 +16,10 @@ $(eval $(call gb_Library_use_external,ucpftp1,boost_headers))
 
 $(eval $(call gb_Library_use_sdk_api,ucpftp1))
 
+$(eval $(call gb_Library_use_custom_headers,ucpftp1,\
+	officecfg/registry \
+))
+
 $(eval $(call gb_Library_use_libraries,ucpftp1,\
 	comphelper \
 	cppu \
diff --git a/ucb/source/ucp/webdav-curl/CurlSession.cxx b/ucb/source/ucp/webdav-curl/CurlSession.cxx
index 1d85d5df0ca5..cc37f0b4da77 100644
--- a/ucb/source/ucp/webdav-curl/CurlSession.cxx
+++ b/ucb/source/ucp/webdav-curl/CurlSession.cxx
@@ -23,6 +23,7 @@
 #include <o3tl/string_view.hxx>
 
 #include <officecfg/Inet.hxx>
+#include <officecfg/Office/Security.hxx>
 
 #include <com/sun/star/beans/NamedValue.hpp>
 #include <com/sun/star/io/Pipe.hpp>
@@ -682,15 +683,19 @@ CurlSession::CurlSession(uno::Reference<uno::XComponentContext> xContext,
     rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_HEADERFUNCTION, &header_callback);
     assert(rc == CURLE_OK);
     ::InitCurl_easy(m_pCurl.get());
+    if (officecfg::Office::Security::Net::AllowInsecureProtocols::get())
+    {
     // tdf#149921 by default, with schannel (WNT) connection fails if revocation
     // lists cannot be checked; try to limit the checking to when revocation
     // lists can actually be retrieved (usually not the case for self-signed CA)
 #if CURL_AT_LEAST_VERSION(7, 70, 0)
-    rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_SSL_OPTIONS, CURLSSLOPT_REVOKE_BEST_EFFORT);
-    assert(rc == CURLE_OK);
-    rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_PROXY_SSL_OPTIONS, CURLSSLOPT_REVOKE_BEST_EFFORT);
-    assert(rc == CURLE_OK);
+        rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_SSL_OPTIONS, CURLSSLOPT_REVOKE_BEST_EFFORT);
+        assert(rc == CURLE_OK);
+        rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_PROXY_SSL_OPTIONS,
+                              CURLSSLOPT_REVOKE_BEST_EFFORT);
+        assert(rc == CURLE_OK);
 #endif
+    }
     // set this initially, may be overwritten during authentication
     rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_HTTPAUTH, CURLAUTH_ANY);
     assert(rc == CURLE_OK); // ANY is always available
diff --git a/ucb/source/ucp/webdav-curl/DAVResourceAccess.cxx b/ucb/source/ucp/webdav-curl/DAVResourceAccess.cxx
index fa324b0493e9..c1b775c08f70 100644
--- a/ucb/source/ucp/webdav-curl/DAVResourceAccess.cxx
+++ b/ucb/source/ucp/webdav-curl/DAVResourceAccess.cxx
@@ -26,6 +26,9 @@
 
 #include "DAVAuthListenerImpl.hxx"
 #include "DAVResourceAccess.hxx"
+#include "webdavprovider.hxx"
+
+#include <officecfg/Office/Security.hxx>
 
 #include <com/sun/star/lang/IllegalArgumentException.hpp>
 #include <com/sun/star/io/IOException.hpp>
@@ -1005,7 +1008,17 @@ void DAVResourceAccess::initialize()
     osl::Guard< osl::Mutex > aGuard( m_aMutex );
     if ( m_aPath.isEmpty() )
     {
-        CurlUri const aURI( m_aURL );
+        CurlUri aURI(m_aURL);
+        assert(aURI.GetScheme() == HTTP_URL_SCHEME || aURI.GetScheme() == HTTPS_URL_SCHEME);
+        if (aURI.GetScheme() == HTTP_URL_SCHEME)
+        {
+            if (!officecfg::Office::Security::Net::AllowInsecureProtocols::get())
+            {
+                // "http" not allowed -> immediately redirect to "https",
+                // better than showing confusing error to user
+                aURI.SetScheme(HTTPS_URL_SCHEME);
+            }
+        }
         OUString aPath( aURI.GetRelativeReference() );
 
         /* #134089# - Check URI */
@@ -1021,8 +1034,7 @@ void DAVResourceAccess::initialize()
             m_xSession.clear();
 
             // create new webdav session
-            m_xSession
-                = m_xSessionFactory->createDAVSession( m_aURL, m_aFlags, m_xContext );
+            m_xSession = m_xSessionFactory->createDAVSession(aURI.GetURI(), m_aFlags, m_xContext);
 
             if ( !m_xSession.is() )
                 return;
author	Michael Stahl <michael.stahl@allotropia.de>	2023-11-06 18:11:42 +0100
committer	Michael Stahl <michael.stahl@allotropia.de>	2023-11-09 16:51:31 +0100
commit	5365daf67f8b81f69a47e3692a71fd3962505e46 (patch)
tree	573034fb9183193080782f119c9599b3396dcb97
parent	c32bf48b7446808ffc47472021ec32cb7c70eea7 (diff)