diff options
-rw-r--r-- | desktop/Library_crashreport.mk | 4 | ||||
-rw-r--r-- | extensions/Library_updchk.mk | 4 | ||||
-rw-r--r-- | include/curlinit.hxx | 29 | ||||
-rw-r--r-- | linguistic/Library_lng.mk | 4 | ||||
-rw-r--r-- | officecfg/registry/schema/org/openoffice/Office/Security.xcs | 11 | ||||
-rw-r--r-- | ucb/Library_ucpcmis1.mk | 4 | ||||
-rw-r--r-- | ucb/Library_ucpftp1.mk | 4 | ||||
-rw-r--r-- | ucb/source/ucp/webdav-curl/CurlSession.cxx | 13 | ||||
-rw-r--r-- | ucb/source/ucp/webdav-curl/DAVResourceAccess.cxx | 18 |
9 files changed, 75 insertions, 16 deletions
diff --git a/desktop/Library_crashreport.mk b/desktop/Library_crashreport.mk index ba267e212974..c00814c82cee 100644 --- a/desktop/Library_crashreport.mk +++ b/desktop/Library_crashreport.mk @@ -31,6 +31,10 @@ $(eval $(call gb_Library_add_libs,crashreport,\ $(eval $(call gb_Library_use_sdk_api,crashreport)) +$(eval $(call gb_Library_use_custom_headers,crashreport,\ + officecfg/registry \ +)) + $(eval $(call gb_Library_use_libraries,crashreport,\ comphelper \ cppu \ diff --git a/extensions/Library_updchk.mk b/extensions/Library_updchk.mk index 7088efa2c37b..85c0293231fa 100644 --- a/extensions/Library_updchk.mk +++ b/extensions/Library_updchk.mk @@ -18,6 +18,10 @@ $(eval $(call gb_Library_set_include,updchk,\ $(eval $(call gb_Library_use_sdk_api,updchk)) +$(eval $(call gb_Library_use_custom_headers,updchk,\ + officecfg/registry \ +)) + $(eval $(call gb_Library_use_libraries,updchk,\ comphelper \ cppuhelper \ diff --git a/include/curlinit.hxx b/include/curlinit.hxx index 8b3a9968419d..14f660b41efa 100644 --- a/include/curlinit.hxx +++ b/include/curlinit.hxx @@ -11,6 +11,8 @@ #include <curl/curl.h> +#include <officecfg/Office/Security.hxx> + #if defined(LINUX) && !defined(SYSTEM_CURL) #include <com/sun/star/uno/RuntimeException.hpp> @@ -36,24 +38,33 @@ static char const* GetCABundleFile() throw css::uno::RuntimeException("no OpenSSL CA certificate bundle found"); } +#endif static void InitCurl_easy(CURL* const pCURL) { + CURLcode rc; + (void)rc; + +#if defined(LINUX) && !defined(SYSTEM_CURL) char const* const path = GetCABundleFile(); - auto rc = curl_easy_setopt(pCURL, CURLOPT_CAINFO, path); + rc = curl_easy_setopt(pCURL, CURLOPT_CAINFO, path); if (rc != CURLE_OK) // only if OOM? { throw css::uno::RuntimeException("CURLOPT_CAINFO failed"); } -} - -#else +#endif -static void InitCurl_easy(CURL* const) -{ - // these don't use OpenSSL so CAs work out of the box + if (!officecfg::Office::Security::Net::AllowInsecureProtocols::get()) + { + rc = curl_easy_setopt(pCURL, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2); + assert(rc == CURLE_OK); + rc = curl_easy_setopt(pCURL, CURLOPT_PROXY_SSLVERSION, CURL_SSLVERSION_TLSv1_2); + assert(rc == CURLE_OK); + rc = curl_easy_setopt(pCURL, CURLOPT_PROTOCOLS_STR, "https"); + assert(rc == CURLE_OK); + rc = curl_easy_setopt(pCURL, CURLOPT_REDIR_PROTOCOLS_STR, "https"); + assert(rc == CURLE_OK); + } } -#endif - /* vim:set shiftwidth=4 softtabstop=4 expandtab cinoptions=b1,g0,N-s cinkeys+=0=break: */ diff --git a/linguistic/Library_lng.mk b/linguistic/Library_lng.mk index 49c37b807685..4991163ed070 100644 --- a/linguistic/Library_lng.mk +++ b/linguistic/Library_lng.mk @@ -28,6 +28,10 @@ $(eval $(call gb_Library_set_include,lng,\ $(eval $(call gb_Library_use_sdk_api,lng)) +$(eval $(call gb_Library_use_custom_headers,lng,\ + officecfg/registry \ +)) + $(eval $(call gb_Library_add_defs,lng,\ -DLNG_DLLIMPLEMENTATION \ )) diff --git a/officecfg/registry/schema/org/openoffice/Office/Security.xcs b/officecfg/registry/schema/org/openoffice/Office/Security.xcs index f474df6def51..4cb9073012f5 100644 --- a/officecfg/registry/schema/org/openoffice/Office/Security.xcs +++ b/officecfg/registry/schema/org/openoffice/Office/Security.xcs @@ -44,5 +44,16 @@ <value>true</value> </prop> </group> + <group oor:name="Net"> + <info> + <desc>Specifies how secure hyperlinks are processed.</desc> + </info> + <prop oor:name="AllowInsecureProtocols" oor:type="xs:boolean" oor:nillable="false"> + <info> + <desc>Allow using insecure and/or unencrypted protocols such as HTTP, SMTP, FTP.</desc> + </info> + <value>true</value> + </prop> + </group> </component> </oor:component-schema> diff --git a/ucb/Library_ucpcmis1.mk b/ucb/Library_ucpcmis1.mk index f18f9e04aad5..707d9ff604a4 100644 --- a/ucb/Library_ucpcmis1.mk +++ b/ucb/Library_ucpcmis1.mk @@ -14,6 +14,10 @@ $(eval $(call gb_Library_set_componentfile,ucpcmis1,ucb/source/ucp/cmis/ucpcmis1 $(eval $(call gb_Library_use_sdk_api,ucpcmis1)) +$(eval $(call gb_Library_use_custom_headers,ucpcmis1,\ + officecfg/registry \ +)) + $(eval $(call gb_Library_use_libraries,ucpcmis1,\ comphelper \ cppu \ diff --git a/ucb/Library_ucpftp1.mk b/ucb/Library_ucpftp1.mk index af8eda87f558..a6ac6c69f69b 100644 --- a/ucb/Library_ucpftp1.mk +++ b/ucb/Library_ucpftp1.mk @@ -16,6 +16,10 @@ $(eval $(call gb_Library_use_external,ucpftp1,boost_headers)) $(eval $(call gb_Library_use_sdk_api,ucpftp1)) +$(eval $(call gb_Library_use_custom_headers,ucpftp1,\ + officecfg/registry \ +)) + $(eval $(call gb_Library_use_libraries,ucpftp1,\ comphelper \ cppu \ diff --git a/ucb/source/ucp/webdav-curl/CurlSession.cxx b/ucb/source/ucp/webdav-curl/CurlSession.cxx index 1d85d5df0ca5..cc37f0b4da77 100644 --- a/ucb/source/ucp/webdav-curl/CurlSession.cxx +++ b/ucb/source/ucp/webdav-curl/CurlSession.cxx @@ -23,6 +23,7 @@ #include <o3tl/string_view.hxx> #include <officecfg/Inet.hxx> +#include <officecfg/Office/Security.hxx> #include <com/sun/star/beans/NamedValue.hpp> #include <com/sun/star/io/Pipe.hpp> @@ -682,15 +683,19 @@ CurlSession::CurlSession(uno::Reference<uno::XComponentContext> xContext, rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_HEADERFUNCTION, &header_callback); assert(rc == CURLE_OK); ::InitCurl_easy(m_pCurl.get()); + if (officecfg::Office::Security::Net::AllowInsecureProtocols::get()) + { // tdf#149921 by default, with schannel (WNT) connection fails if revocation // lists cannot be checked; try to limit the checking to when revocation // lists can actually be retrieved (usually not the case for self-signed CA) #if CURL_AT_LEAST_VERSION(7, 70, 0) - rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_SSL_OPTIONS, CURLSSLOPT_REVOKE_BEST_EFFORT); - assert(rc == CURLE_OK); - rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_PROXY_SSL_OPTIONS, CURLSSLOPT_REVOKE_BEST_EFFORT); - assert(rc == CURLE_OK); + rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_SSL_OPTIONS, CURLSSLOPT_REVOKE_BEST_EFFORT); + assert(rc == CURLE_OK); + rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_PROXY_SSL_OPTIONS, + CURLSSLOPT_REVOKE_BEST_EFFORT); + assert(rc == CURLE_OK); #endif + } // set this initially, may be overwritten during authentication rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_HTTPAUTH, CURLAUTH_ANY); assert(rc == CURLE_OK); // ANY is always available diff --git a/ucb/source/ucp/webdav-curl/DAVResourceAccess.cxx b/ucb/source/ucp/webdav-curl/DAVResourceAccess.cxx index fa324b0493e9..c1b775c08f70 100644 --- a/ucb/source/ucp/webdav-curl/DAVResourceAccess.cxx +++ b/ucb/source/ucp/webdav-curl/DAVResourceAccess.cxx @@ -26,6 +26,9 @@ #include "DAVAuthListenerImpl.hxx" #include "DAVResourceAccess.hxx" +#include "webdavprovider.hxx" + +#include <officecfg/Office/Security.hxx> #include <com/sun/star/lang/IllegalArgumentException.hpp> #include <com/sun/star/io/IOException.hpp> @@ -1005,7 +1008,17 @@ void DAVResourceAccess::initialize() osl::Guard< osl::Mutex > aGuard( m_aMutex ); if ( m_aPath.isEmpty() ) { - CurlUri const aURI( m_aURL ); + CurlUri aURI(m_aURL); + assert(aURI.GetScheme() == HTTP_URL_SCHEME || aURI.GetScheme() == HTTPS_URL_SCHEME); + if (aURI.GetScheme() == HTTP_URL_SCHEME) + { + if (!officecfg::Office::Security::Net::AllowInsecureProtocols::get()) + { + // "http" not allowed -> immediately redirect to "https", + // better than showing confusing error to user + aURI.SetScheme(HTTPS_URL_SCHEME); + } + } OUString aPath( aURI.GetRelativeReference() ); /* #134089# - Check URI */ @@ -1021,8 +1034,7 @@ void DAVResourceAccess::initialize() m_xSession.clear(); // create new webdav session - m_xSession - = m_xSessionFactory->createDAVSession( m_aURL, m_aFlags, m_xContext ); + m_xSession = m_xSessionFactory->createDAVSession(aURI.GetURI(), m_aFlags, m_xContext); if ( !m_xSession.is() ) return; |