Some missing "block untrusted referer links" for form controls

...where "Referer" is now passed in as an additional property, so that the
relevant objects can decide whether to obtain graphics while loading a document

Change-Id: Ie3dabc574861713212b906a0d7793f438a7d50a8
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/168674
Tested-by: Jenkins
Reviewed-by: Stephan Bergmann <stephan.bergmann@allotropia.de>

1 files changed, 7 insertions, 2 deletions

diff --git a/forms/source/component/clickableimage.cxx b/forms/source/component/clickableimage.cxx
index 9d57272274a0..adb92952ea02 100644
--- a/forms/source/component/clickableimage.cxx
+++ b/forms/source/component/clickableimage.cxx
@@ -47,6 +47,7 @@
 #include <comphelper/types.hxx>
 #include <cppuhelper/exc_hlp.hxx>
 #include <svtools/imageresourceaccess.hxx>
+#include <unotools/securityoptions.hxx>
 #define LOCAL_URL_PREFIX    '#'
 
 
@@ -756,8 +757,12 @@ namespace frm
 
             m_bProdStarted = false;
 
-            // Kick off download (caution: can be synchronous).
-            m_pMedium->Download(LINK(this, OClickableImageBaseModel, DownloadDoneLink));
+            OUString referer;
+            getPropertyValue("Referer") >>= referer;
+            if (!SvtSecurityOptions::isUntrustedReferer(referer)) {
+                // Kick off download (caution: can be synchronous).
+                m_pMedium->Download(LINK(this, OClickableImageBaseModel, DownloadDoneLink));
+            }
         }
         else
         {