officecfg,*: add Office::Security::Net::AllowInsecureProtocols

By default, unencrypted network connections are allowed.

But now it can be disabled, for everything that uses libcurl.

Change-Id: I8e103f5a968ace2a19fdb9d6934c9a51b2aeabe4
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159011
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>

2 files changed, 24 insertions, 7 deletions

diff --git a/ucb/source/ucp/webdav-curl/CurlSession.cxx b/ucb/source/ucp/webdav-curl/CurlSession.cxx
index 1d85d5df0ca5..cc37f0b4da77 100644
--- a/ucb/source/ucp/webdav-curl/CurlSession.cxx
+++ b/ucb/source/ucp/webdav-curl/CurlSession.cxx
@@ -23,6 +23,7 @@
 #include <o3tl/string_view.hxx>
 
 #include <officecfg/Inet.hxx>
+#include <officecfg/Office/Security.hxx>
 
 #include <com/sun/star/beans/NamedValue.hpp>
 #include <com/sun/star/io/Pipe.hpp>
@@ -682,15 +683,19 @@ CurlSession::CurlSession(uno::Reference<uno::XComponentContext> xContext,
     rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_HEADERFUNCTION, &header_callback);
     assert(rc == CURLE_OK);
     ::InitCurl_easy(m_pCurl.get());
+    if (officecfg::Office::Security::Net::AllowInsecureProtocols::get())
+    {
     // tdf#149921 by default, with schannel (WNT) connection fails if revocation
     // lists cannot be checked; try to limit the checking to when revocation
     // lists can actually be retrieved (usually not the case for self-signed CA)
 #if CURL_AT_LEAST_VERSION(7, 70, 0)
-    rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_SSL_OPTIONS, CURLSSLOPT_REVOKE_BEST_EFFORT);
-    assert(rc == CURLE_OK);
-    rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_PROXY_SSL_OPTIONS, CURLSSLOPT_REVOKE_BEST_EFFORT);
-    assert(rc == CURLE_OK);
+        rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_SSL_OPTIONS, CURLSSLOPT_REVOKE_BEST_EFFORT);
+        assert(rc == CURLE_OK);
+        rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_PROXY_SSL_OPTIONS,
+                              CURLSSLOPT_REVOKE_BEST_EFFORT);
+        assert(rc == CURLE_OK);
 #endif
+    }
     // set this initially, may be overwritten during authentication
     rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_HTTPAUTH, CURLAUTH_ANY);
     assert(rc == CURLE_OK); // ANY is always available
diff --git a/ucb/source/ucp/webdav-curl/DAVResourceAccess.cxx b/ucb/source/ucp/webdav-curl/DAVResourceAccess.cxx
index fa324b0493e9..c1b775c08f70 100644
--- a/ucb/source/ucp/webdav-curl/DAVResourceAccess.cxx
+++ b/ucb/source/ucp/webdav-curl/DAVResourceAccess.cxx
@@ -26,6 +26,9 @@
 
 #include "DAVAuthListenerImpl.hxx"
 #include "DAVResourceAccess.hxx"
+#include "webdavprovider.hxx"
+
+#include <officecfg/Office/Security.hxx>
 
 #include <com/sun/star/lang/IllegalArgumentException.hpp>
 #include <com/sun/star/io/IOException.hpp>
@@ -1005,7 +1008,17 @@ void DAVResourceAccess::initialize()
     osl::Guard< osl::Mutex > aGuard( m_aMutex );
     if ( m_aPath.isEmpty() )
     {
-        CurlUri const aURI( m_aURL );
+        CurlUri aURI(m_aURL);
+        assert(aURI.GetScheme() == HTTP_URL_SCHEME || aURI.GetScheme() == HTTPS_URL_SCHEME);
+        if (aURI.GetScheme() == HTTP_URL_SCHEME)
+        {
+            if (!officecfg::Office::Security::Net::AllowInsecureProtocols::get())
+            {
+                // "http" not allowed -> immediately redirect to "https",
+                // better than showing confusing error to user
+                aURI.SetScheme(HTTPS_URL_SCHEME);
+            }
+        }
         OUString aPath( aURI.GetRelativeReference() );
 
         /* #134089# - Check URI */
@@ -1021,8 +1034,7 @@ void DAVResourceAccess::initialize()
             m_xSession.clear();
 
             // create new webdav session
-            m_xSession
-                = m_xSessionFactory->createDAVSession( m_aURL, m_aFlags, m_xContext );
+            m_xSession = m_xSessionFactory->createDAVSession(aURI.GetURI(), m_aFlags, m_xContext);
 
             if ( !m_xSession.is() )
                 return;