diff options
| author | Michael Stahl <michael.stahl@allotropia.de> | 2023-11-06 18:11:42 +0100 |
|---|---|---|
| committer | Michael Stahl <michael.stahl@allotropia.de> | 2023-11-09 16:51:31 +0100 |
| commit | 5365daf67f8b81f69a47e3692a71fd3962505e46 (patch) | |
| tree | 573034fb9183193080782f119c9599b3396dcb97 /ucb | |
| parent | c32bf48b7446808ffc47472021ec32cb7c70eea7 (diff) | |
officecfg,*: add Office::Security::Net::AllowInsecureProtocols
By default, unencrypted network connections are allowed.
But now it can be disabled, for everything that uses libcurl.
Change-Id: I8e103f5a968ace2a19fdb9d6934c9a51b2aeabe4
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159011
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
Diffstat (limited to 'ucb')
| -rw-r--r-- | ucb/Library_ucpcmis1.mk | 4 | ||||
| -rw-r--r-- | ucb/Library_ucpftp1.mk | 4 | ||||
| -rw-r--r-- | ucb/source/ucp/webdav-curl/CurlSession.cxx | 13 | ||||
| -rw-r--r-- | ucb/source/ucp/webdav-curl/DAVResourceAccess.cxx | 18 |
4 files changed, 32 insertions, 7 deletions
diff --git a/ucb/Library_ucpcmis1.mk b/ucb/Library_ucpcmis1.mk index f18f9e04aad5..707d9ff604a4 100644 --- a/ucb/Library_ucpcmis1.mk +++ b/ucb/Library_ucpcmis1.mk @@ -14,6 +14,10 @@ $(eval $(call gb_Library_set_componentfile,ucpcmis1,ucb/source/ucp/cmis/ucpcmis1 $(eval $(call gb_Library_use_sdk_api,ucpcmis1)) +$(eval $(call gb_Library_use_custom_headers,ucpcmis1,\ + officecfg/registry \ +)) + $(eval $(call gb_Library_use_libraries,ucpcmis1,\ comphelper \ cppu \ diff --git a/ucb/Library_ucpftp1.mk b/ucb/Library_ucpftp1.mk index af8eda87f558..a6ac6c69f69b 100644 --- a/ucb/Library_ucpftp1.mk +++ b/ucb/Library_ucpftp1.mk @@ -16,6 +16,10 @@ $(eval $(call gb_Library_use_external,ucpftp1,boost_headers)) $(eval $(call gb_Library_use_sdk_api,ucpftp1)) +$(eval $(call gb_Library_use_custom_headers,ucpftp1,\ + officecfg/registry \ +)) + $(eval $(call gb_Library_use_libraries,ucpftp1,\ comphelper \ cppu \ diff --git a/ucb/source/ucp/webdav-curl/CurlSession.cxx b/ucb/source/ucp/webdav-curl/CurlSession.cxx index 1d85d5df0ca5..cc37f0b4da77 100644 --- a/ucb/source/ucp/webdav-curl/CurlSession.cxx +++ b/ucb/source/ucp/webdav-curl/CurlSession.cxx @@ -23,6 +23,7 @@ #include <o3tl/string_view.hxx> #include <officecfg/Inet.hxx> +#include <officecfg/Office/Security.hxx> #include <com/sun/star/beans/NamedValue.hpp> #include <com/sun/star/io/Pipe.hpp> @@ -682,15 +683,19 @@ CurlSession::CurlSession(uno::Reference<uno::XComponentContext> xContext, rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_HEADERFUNCTION, &header_callback); assert(rc == CURLE_OK); ::InitCurl_easy(m_pCurl.get()); + if (officecfg::Office::Security::Net::AllowInsecureProtocols::get()) + { // tdf#149921 by default, with schannel (WNT) connection fails if revocation // lists cannot be checked; try to limit the checking to when revocation // lists can actually be retrieved (usually not the case for self-signed CA) #if CURL_AT_LEAST_VERSION(7, 70, 0) - rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_SSL_OPTIONS, CURLSSLOPT_REVOKE_BEST_EFFORT); - assert(rc == CURLE_OK); - rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_PROXY_SSL_OPTIONS, CURLSSLOPT_REVOKE_BEST_EFFORT); - assert(rc == CURLE_OK); + rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_SSL_OPTIONS, CURLSSLOPT_REVOKE_BEST_EFFORT); + assert(rc == CURLE_OK); + rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_PROXY_SSL_OPTIONS, + CURLSSLOPT_REVOKE_BEST_EFFORT); + assert(rc == CURLE_OK); #endif + } // set this initially, may be overwritten during authentication rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_HTTPAUTH, CURLAUTH_ANY); assert(rc == CURLE_OK); // ANY is always available diff --git a/ucb/source/ucp/webdav-curl/DAVResourceAccess.cxx b/ucb/source/ucp/webdav-curl/DAVResourceAccess.cxx index fa324b0493e9..c1b775c08f70 100644 --- a/ucb/source/ucp/webdav-curl/DAVResourceAccess.cxx +++ b/ucb/source/ucp/webdav-curl/DAVResourceAccess.cxx @@ -26,6 +26,9 @@ #include "DAVAuthListenerImpl.hxx" #include "DAVResourceAccess.hxx" +#include "webdavprovider.hxx" + +#include <officecfg/Office/Security.hxx> #include <com/sun/star/lang/IllegalArgumentException.hpp> #include <com/sun/star/io/IOException.hpp> @@ -1005,7 +1008,17 @@ void DAVResourceAccess::initialize() osl::Guard< osl::Mutex > aGuard( m_aMutex ); if ( m_aPath.isEmpty() ) { - CurlUri const aURI( m_aURL ); + CurlUri aURI(m_aURL); + assert(aURI.GetScheme() == HTTP_URL_SCHEME || aURI.GetScheme() == HTTPS_URL_SCHEME); + if (aURI.GetScheme() == HTTP_URL_SCHEME) + { + if (!officecfg::Office::Security::Net::AllowInsecureProtocols::get()) + { + // "http" not allowed -> immediately redirect to "https", + // better than showing confusing error to user + aURI.SetScheme(HTTPS_URL_SCHEME); + } + } OUString aPath( aURI.GetRelativeReference() ); /* #134089# - Check URI */ @@ -1021,8 +1034,7 @@ void DAVResourceAccess::initialize() m_xSession.clear(); // create new webdav session - m_xSession - = m_xSessionFactory->createDAVSession( m_aURL, m_aFlags, m_xContext ); + m_xSession = m_xSessionFactory->createDAVSession(aURI.GetURI(), m_aFlags, m_xContext); if ( !m_xSession.is() ) return; |