diff options
author | Michael Stahl <michael.stahl@allotropia.de> | 2023-11-07 15:40:55 +0100 |
---|---|---|
committer | Michael Stahl <michael.stahl@allotropia.de> | 2023-11-09 16:55:18 +0100 |
commit | 8e46dd9599bc84f60abf2d2d5625fa15076dfc80 (patch) | |
tree | 726b50cbd1b4d7de08c87e0745ee285ad403ac4e /scripting | |
parent | 1472e2d68b9cff43b99069d3ba9439fff0a5684c (diff) |
scripting: PyMailServiceProvider: implement AllowInsecureProtocols
The "ehlo" calls look redundant, smtplib will do these implicitly if
required (checked in Python 3.5.9); it will also check that the STARTTLS
is successful which very old versions of Python didn't do.
Change-Id: Ice8b24bc2c9773c1171e856f1aefb191b1e2e947
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159078
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
Diffstat (limited to 'scripting')
-rw-r--r-- | scripting/source/pyprov/mailmerge.py | 56 |
1 files changed, 39 insertions, 17 deletions
diff --git a/scripting/source/pyprov/mailmerge.py b/scripting/source/pyprov/mailmerge.py index 40be53b9366a..3c781c52f2cb 100644 --- a/scripting/source/pyprov/mailmerge.py +++ b/scripting/source/pyprov/mailmerge.py @@ -55,6 +55,34 @@ g_ImplementationHelper = unohelper.ImplementationHelper() g_providerImplName = "org.openoffice.pyuno.MailServiceProvider" g_messageImplName = "org.openoffice.pyuno.MailMessage" +def prepareTLSContext(xComponent, xContext, isTLSRequested): + xConfigProvider = xContext.ServiceManager.createInstance("com.sun.star.configuration.ConfigurationProvider") + prop = uno.createUnoStruct('com.sun.star.beans.PropertyValue') + prop.Name = "nodepath" + prop.Value = "/org.openoffice.Office.Security/Net" + xSettings = xConfigProvider.createInstanceWithArguments("com.sun.star.configuration.ConfigurationAccess", + (prop,)) + isAllowedInsecure = xSettings.getByName("AllowInsecureProtocols") + tlscontext = None + if isTLSRequested: + if dbg: + print("SSL config: " + str(ssl.get_default_verify_paths()), file=sys.stderr) + tlscontext = ssl.create_default_context() + # SSLv2/v3 is already disabled by default. + # This check does not work, because OpenSSL 3 defines SSL_OP_NO_SSLv2 + # as 0, so even though _ssl__SSLContext_impl() tries to set it, + # getting the value from SSL_CTX_get_options() doesn't lead to setting + # the python-level flag. + #assert (tlscontext.options & ssl.Options.OP_NO_SSLv2) != 0 + assert (tlscontext.options & ssl.Options.OP_NO_SSLv3) != 0 + if not(isAllowedInsecure): + if not(isTLSRequested): + if dbg: + print("mailmerge.py: insecure connection not allowed by configuration", file=sys.stderr) + raise IllegalArgumentException("insecure connection not allowed by configuration", xComponent, 1) + tlscontext.options |= ssl.Options.OP_NO_TLSv1 | ssl.Options.OP_NO_TLSv1_1 + return tlscontext + class PyMailSMTPService(unohelper.Base, XSmtpService): def __init__( self, ctx ): self.ctx = ctx @@ -95,25 +123,21 @@ class PyMailSMTPService(unohelper.Base, XSmtpService): tout = _GLOBAL_DEFAULT_TIMEOUT if dbg: print("Timeout: " + str(tout), file=sys.stderr) + connectiontype = xConnectionContext.getValueByName("ConnectionType") + if dbg: + print("ConnectionType: " + connectiontype, file=sys.stderr) + tlscontext = prepareTLSContext(self, self.ctx, connectiontype.upper() == 'SSL' or port == 465) if port == 465: - if dbg: - print("SSL config: " + str(ssl.get_default_verify_paths()), file=sys.stderr) - self.server = smtplib.SMTP_SSL(server, port, timeout=tout, context=ssl.create_default_context()) + self.server = smtplib.SMTP_SSL(server, port, timeout=tout, context=tlscontext) else: self.server = smtplib.SMTP(server, port,timeout=tout) if dbg: self.server.set_debuglevel(1) - connectiontype = xConnectionContext.getValueByName("ConnectionType") - if dbg: - print("ConnectionType: " + connectiontype, file=sys.stderr) if connectiontype.upper() == 'SSL' and port != 465: - if dbg: - print("SSL config: " + str(ssl.get_default_verify_paths()), file=sys.stderr) - self.server.ehlo() - self.server.starttls(context=ssl.create_default_context()) - self.server.ehlo() + # STRIPTLS: smtplib raises an exception if result is not 220 + self.server.starttls(context=tlscontext) user = xAuthenticator.getUserName() password = xAuthenticator.getPassword() @@ -301,11 +325,10 @@ class PyMailIMAPService(unohelper.Base, XMailService): connectiontype = xConnectionContext.getValueByName("ConnectionType") if dbg: print(connectiontype, file=sys.stderr) + tlscontext = prepareTLSContext(self, self.ctx, connectiontype.upper() == 'SSL') print("BEFORE", file=sys.stderr) if connectiontype.upper() == 'SSL': - if dbg: - print("SSL config: " + str(ssl.get_default_verify_paths()), file=sys.stderr) - self.server = imaplib.IMAP4_SSL(server, port, ssl_context=ssl.create_default_context()) + self.server = imaplib.IMAP4_SSL(server, port, ssl_context=tlscontext) else: self.server = imaplib.IMAP4(server, port) print("AFTER", file=sys.stderr) @@ -372,11 +395,10 @@ class PyMailPOP3Service(unohelper.Base, XMailService): connectiontype = xConnectionContext.getValueByName("ConnectionType") if dbg: print(connectiontype, file=sys.stderr) + tlscontext = prepareTLSContext(self, self.ctx, connectiontype.upper() == 'SSL') print("BEFORE", file=sys.stderr) if connectiontype.upper() == 'SSL': - if dbg: - print("SSL config: " + str(ssl.get_default_verify_paths()), file=sys.stderr) - self.server = poplib.POP3_SSL(server, port, context=ssl.create_default_context()) + self.server = poplib.POP3_SSL(server, port, context=tlscontext) else: tout = xConnectionContext.getValueByName("Timeout") if dbg: |