libcmis,ucb: cmis: improve AllowInsecureProtocols implementation

1. in libcmis, pass the CurlInitProtocolsFunction to all subclasses of
HttpSession that need it, and add 2 upstream fixes to pass it around

2. Arrange for InitCurl_easy to be called in UCP RepoContent as well

3. If AllowInsecureProtocols is disabled, automatically upgrade
http connections to https, as is already done in webdav-curl.
Do this in Content and RepoContent; hopefully should work
to convert when m_aURL member is initialised;
the m_xIdentifier on the other hand should have the original
URL because ContentProviderImplHelper::queryExistingContents()
caching likely relies on that.

Change-Id: I20d36ed03ba7ce221d6946b1c996071f4130ec7e
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/169114
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>

3 files changed, 25 insertions, 3 deletions

diff --git a/ucb/source/ucp/cmis/cmis_content.cxx b/ucb/source/ucp/cmis/cmis_content.cxx
index c5ff2886e981..c1808f8bc492 100644
--- a/ucb/source/ucp/cmis/cmis_content.cxx
+++ b/ucb/source/ucp/cmis/cmis_content.cxx
@@ -268,7 +268,7 @@ namespace cmis
         m_pSession( nullptr ),
         m_pObject(std::move( pObject )),
         m_sURL( Identifier->getContentIdentifier( ) ),
-        m_aURL( Identifier->getContentIdentifier( ) ),
+        m_aURL( m_sURL ),
         m_bTransient( false ),
         m_bIsFolder( false )
     {
@@ -285,7 +285,7 @@ namespace cmis
         m_pProvider( pProvider ),
         m_pSession( nullptr ),
         m_sURL( Identifier->getContentIdentifier( ) ),
-        m_aURL( Identifier->getContentIdentifier( ) ),
+        m_aURL( m_sURL ),
         m_bTransient( true ),
         m_bIsFolder( bIsFolder )
     {
diff --git a/ucb/source/ucp/cmis/cmis_repo_content.cxx b/ucb/source/ucp/cmis/cmis_repo_content.cxx
index caba10826ee7..38c261cdf3b8 100644
--- a/ucb/source/ucp/cmis/cmis_repo_content.cxx
+++ b/ucb/source/ucp/cmis/cmis_repo_content.cxx
@@ -24,6 +24,7 @@
 #include <config_oauth2.h>
 #include <rtl/uri.hxx>
 #include <sal/log.hxx>
+#include <systools/curlinit.hxx>
 #include <tools/urlobj.hxx>
 #include <ucbhelper/cancelcommandexecution.hxx>
 #include <ucbhelper/contentidentifier.hxx>
@@ -132,6 +133,9 @@ namespace cmis
                 new CertValidationHandler( xEnv, m_xContext, aBindingUrl.GetHost( ) ) );
         libcmis::SessionFactory::setCertificateValidationHandler( certHandler );
 
+        // init libcurl callback
+        libcmis::SessionFactory::setCurlInitProtocolsFunction(&::InitCurl_easy);
+
         // Get the auth credentials
         AuthProvider authProvider( xEnv, m_xIdentifier->getContentIdentifier( ), m_aURL.getBindingUrl( ) );
         AuthProvider::setXEnv( xEnv );
diff --git a/ucb/source/ucp/cmis/cmis_url.cxx b/ucb/source/ucp/cmis/cmis_url.cxx
index 86fde73b94bb..43f5ce004e56 100644
--- a/ucb/source/ucp/cmis/cmis_url.cxx
+++ b/ucb/source/ucp/cmis/cmis_url.cxx
@@ -10,12 +10,30 @@
 #include <sal/config.h>
 
 #include <rtl/uri.hxx>
+#include <officecfg/Office/Security.hxx>
 #include <tools/urlobj.hxx>
 
 #include "cmis_url.hxx"
 
 namespace cmis
 {
+
+    static OUString CheckInsecureProtocol(OUString const& rURL)
+    {
+        OUString rest;
+        if (rURL.startsWithIgnoreAsciiCase("http://", &rest))
+        {
+            if (!officecfg::Office::Security::Net::AllowInsecureProtocols::get())
+            {
+                // "http" not allowed -> immediately redirect to "https",
+                // better than showing confusing error to user
+                return "https://" + rest;
+            }
+        }
+        return rURL;
+    }
+
+
     URL::URL( std::u16string_view urlStr )
     {
         INetURLObject aUrl( urlStr );
@@ -23,7 +41,7 @@ namespace cmis
         // Decode the authority to get the binding URL and repository id
         OUString sDecodedHost = aUrl.GetHost( INetURLObject::DecodeMechanism::WithCharset );
         INetURLObject aHostUrl( sDecodedHost );
-        m_sBindingUrl = aHostUrl.GetURLNoMark( );
+        m_sBindingUrl = CheckInsecureProtocol(aHostUrl.GetURLNoMark());
         m_sRepositoryId = aHostUrl.GetMark( );
 
         m_sUser = aUrl.GetUser( INetURLObject::DecodeMechanism::WithCharset );