You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@openoffice.apache.org by ar...@apache.org on 2022/03/17 19:39:12 UTC
[openoffice] 04/05: All scripts must be subject to checks
This is an automated email from the ASF dual-hosted git repository.
ardovm pushed a commit to branch AOO42X
in repository https://gitbox.apache.org/repos/asf/openoffice.git
commit 2545873645e2f6d0aeefa0e500a216d74040610e
Author: Arrigo Marchiori <ar...@yahoo.it>
AuthorDate: Tue Oct 19 20:24:17 2021 +0200
All scripts must be subject to checks
(cherry picked from commit fb9ad7aa17549019ccdd2762a97d104449abf45d)
---
main/scripting/source/protocolhandler/scripthandler.cxx | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/main/scripting/source/protocolhandler/scripthandler.cxx b/main/scripting/source/protocolhandler/scripthandler.cxx
index d064fde..85643ee 100644
--- a/main/scripting/source/protocolhandler/scripthandler.cxx
+++ b/main/scripting/source/protocolhandler/scripthandler.cxx
@@ -166,11 +166,9 @@ void SAL_CALL ScriptProtocolHandler::dispatchWithNotification(
::rtl::OUString sLocation = xScriptUri->getParameter( ::rtl::OUString( RTL_CONSTASCII_USTRINGPARAM( "location" ) ) );
bool bIsDocumentScript = ( sLocation == ::rtl::OUString( RTL_CONSTASCII_USTRINGPARAM( "document" ) ) );
- if ( bIsDocumentScript )
- {
- // obtain the component for our security check
- Reference< XEmbeddedScripts > xDocumentScripts;
- if ( getScriptInvocation() )
+ // obtain the component for our security check. We could check bIsDocumentScript but the "location" could be forged
+ if ( getScriptInvocation() ) {
+ Reference< XEmbeddedScripts > xDocumentScripts;
xDocumentScripts.set( m_xScriptInvocation->getScriptContainer(), UNO_SET_THROW );
OSL_ENSURE( xDocumentScripts.is(), "ScriptProtocolHandler::dispatchWithNotification: can't do the security check!" );