[openoffice] 04/05: All scripts must be subject to checks

[ar...@apache.org]

This is an automated email from the ASF dual-hosted git repository.

ardovm pushed a commit to branch AOO42X
in repository https://gitbox.apache.org/repos/asf/openoffice.git

commit 2545873645e2f6d0aeefa0e500a216d74040610e
Author: Arrigo Marchiori <ar...@yahoo.it>
AuthorDate: Tue Oct 19 20:24:17 2021 +0200

    All scripts must be subject to checks
    
    (cherry picked from commit fb9ad7aa17549019ccdd2762a97d104449abf45d)
---
 main/scripting/source/protocolhandler/scripthandler.cxx | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/main/scripting/source/protocolhandler/scripthandler.cxx b/main/scripting/source/protocolhandler/scripthandler.cxx
index d064fde..85643ee 100644
--- a/main/scripting/source/protocolhandler/scripthandler.cxx
+++ b/main/scripting/source/protocolhandler/scripthandler.cxx
@@ -166,11 +166,9 @@ void SAL_CALL ScriptProtocolHandler::dispatchWithNotification(
             ::rtl::OUString sLocation = xScriptUri->getParameter( ::rtl::OUString( RTL_CONSTASCII_USTRINGPARAM( "location" ) ) );
             bool bIsDocumentScript = ( sLocation == ::rtl::OUString( RTL_CONSTASCII_USTRINGPARAM( "document" ) ) );
 
-            if ( bIsDocumentScript )
-            {
-                // obtain the component for our security check
-                Reference< XEmbeddedScripts > xDocumentScripts;
-                if ( getScriptInvocation() )
+            // obtain the component for our security check. We could check bIsDocumentScript but the "location" could be forged
+            if ( getScriptInvocation() ) {
+                    Reference< XEmbeddedScripts > xDocumentScripts;
                     xDocumentScripts.set( m_xScriptInvocation->getScriptContainer(), UNO_SET_THROW );
 
                 OSL_ENSURE( xDocumentScripts.is(), "ScriptProtocolHandler::dispatchWithNotification: can't do the security check!" );