From 5365daf67f8b81f69a47e3692a71fd3962505e46 Mon Sep 17 00:00:00 2001 From: Michael Stahl Date: Mon, 6 Nov 2023 18:11:42 +0100 Subject: officecfg,*: add Office::Security::Net::AllowInsecureProtocols By default, unencrypted network connections are allowed. But now it can be disabled, for everything that uses libcurl. Change-Id: I8e103f5a968ace2a19fdb9d6934c9a51b2aeabe4 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159011 Tested-by: Jenkins Reviewed-by: Michael Stahl --- ucb/source/ucp/webdav-curl/CurlSession.cxx | 13 +++++++++---- ucb/source/ucp/webdav-curl/DAVResourceAccess.cxx | 18 +++++++++++++++--- 2 files changed, 24 insertions(+), 7 deletions(-) (limited to 'ucb/source') diff --git a/ucb/source/ucp/webdav-curl/CurlSession.cxx b/ucb/source/ucp/webdav-curl/CurlSession.cxx index 1d85d5df0ca5..cc37f0b4da77 100644 --- a/ucb/source/ucp/webdav-curl/CurlSession.cxx +++ b/ucb/source/ucp/webdav-curl/CurlSession.cxx @@ -23,6 +23,7 @@ #include #include +#include #include #include @@ -682,15 +683,19 @@ CurlSession::CurlSession(uno::Reference xContext, rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_HEADERFUNCTION, &header_callback); assert(rc == CURLE_OK); ::InitCurl_easy(m_pCurl.get()); + if (officecfg::Office::Security::Net::AllowInsecureProtocols::get()) + { // tdf#149921 by default, with schannel (WNT) connection fails if revocation // lists cannot be checked; try to limit the checking to when revocation // lists can actually be retrieved (usually not the case for self-signed CA) #if CURL_AT_LEAST_VERSION(7, 70, 0) - rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_SSL_OPTIONS, CURLSSLOPT_REVOKE_BEST_EFFORT); - assert(rc == CURLE_OK); - rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_PROXY_SSL_OPTIONS, CURLSSLOPT_REVOKE_BEST_EFFORT); - assert(rc == CURLE_OK); + rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_SSL_OPTIONS, CURLSSLOPT_REVOKE_BEST_EFFORT); + assert(rc == CURLE_OK); + rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_PROXY_SSL_OPTIONS, + CURLSSLOPT_REVOKE_BEST_EFFORT); + assert(rc == CURLE_OK); #endif + } // set this initially, may be overwritten during authentication rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_HTTPAUTH, CURLAUTH_ANY); assert(rc == CURLE_OK); // ANY is always available diff --git a/ucb/source/ucp/webdav-curl/DAVResourceAccess.cxx b/ucb/source/ucp/webdav-curl/DAVResourceAccess.cxx index fa324b0493e9..c1b775c08f70 100644 --- a/ucb/source/ucp/webdav-curl/DAVResourceAccess.cxx +++ b/ucb/source/ucp/webdav-curl/DAVResourceAccess.cxx @@ -26,6 +26,9 @@ #include "DAVAuthListenerImpl.hxx" #include "DAVResourceAccess.hxx" +#include "webdavprovider.hxx" + +#include #include #include @@ -1005,7 +1008,17 @@ void DAVResourceAccess::initialize() osl::Guard< osl::Mutex > aGuard( m_aMutex ); if ( m_aPath.isEmpty() ) { - CurlUri const aURI( m_aURL ); + CurlUri aURI(m_aURL); + assert(aURI.GetScheme() == HTTP_URL_SCHEME || aURI.GetScheme() == HTTPS_URL_SCHEME); + if (aURI.GetScheme() == HTTP_URL_SCHEME) + { + if (!officecfg::Office::Security::Net::AllowInsecureProtocols::get()) + { + // "http" not allowed -> immediately redirect to "https", + // better than showing confusing error to user + aURI.SetScheme(HTTPS_URL_SCHEME); + } + } OUString aPath( aURI.GetRelativeReference() ); /* #134089# - Check URI */ @@ -1021,8 +1034,7 @@ void DAVResourceAccess::initialize() m_xSession.clear(); // create new webdav session - m_xSession - = m_xSessionFactory->createDAVSession( m_aURL, m_aFlags, m_xContext ); + m_xSession = m_xSessionFactory->createDAVSession(aURI.GetURI(), m_aFlags, m_xContext); if ( !m_xSession.is() ) return; -- cgit