Skip to content
Permalink
Browse files

sanitize LibreLogo calls

Change-Id: Ie4d9858e5b4b3e55ab08416fb9338d2df34ee5e1
Reviewed-on: https://gerrit.libreoffice.org/73627
Tested-by: Jenkins
Reviewed-by: László Németh <nemeth@numbertext.org>
(cherry picked from commit 1b63fa3)
Reviewed-on: https://gerrit.libreoffice.org/73655
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>
  • Loading branch information...
laszlonemeth authored and Caolán McNamara committed Jun 6, 2019
1 parent 019c3f7 commit 5d47b7b3f6a134037f1f3d8c018505244d7be484
Showing with 50 additions and 1 deletion.
  1. +50 −1 librelogo/source/LibreLogo/LibreLogo.py
@@ -145,6 +145,7 @@ def __l12n__(lng):
class __Doc__:
def __init__(self, doc):
self.doc = doc
self.secure = False
try:
self.drawpage = doc.DrawPage # Writer
except:
@@ -468,10 +469,58 @@ def __init__(self, code):
self.code = code
threading.Thread.__init__(self)

def secure(self):
# 0 = secure
if _.secure:
return 0

# 1 = forms, fields or embedded objects are forbidden
if _.doc.DrawPage.Forms.getCount() > 0 or _.doc.getTextFields().createEnumeration().hasMoreElements() or _.doc.getEmbeddedObjects().getCount() > 0:
return 1

# 2 = hyperlinks with script events
nodes = _.doc.Text.createEnumeration()
while nodes.hasMoreElements():
node = nodes.nextElement()
if node.supportsService("com.sun.star.text.Paragraph"):
portions = node.createEnumeration()
while portions.hasMoreElements():
portion = portions.nextElement()
if portion.PropertySetInfo.hasPropertyByName("HyperLinkEvents"):
events = portion.getPropertyValue("HyperLinkEvents")
for event in events.getElementNames():
attributes = events.getByName(event)
for attribute in attributes:
if attribute.Name == "EventType" and attribute.Value == "Script":
return 2

# 2 = images with script events
images = _.doc.DrawPage.createEnumeration()
while images.hasMoreElements():
image = images.nextElement()
try:
events = image.Events
for event in events.getElementNames():
attributes = events.getByName(event)
for attribute in attributes:
if attribute.Name == "EventType" and attribute.Value == "Script":
return 2
except:
pass

_.secure = True
return 0

def run(self):
global __thread__
try:
exec(self.code)
# check document security
secid = self.secure()
if secid > 0:
parent = _.doc.CurrentController.Frame.ContainerWindow
MessageBox(parent, "Document objects with%s script events" % [" possible", ""][secid-1], "LibreLogo program can't start", "errorbox")
else:
exec(self.code)
if _.origcursor[0] and _.origcursor[1]:
__dispatcher__(".uno:Escape")
try:

0 comments on commit 5d47b7b

Please sign in to comment.
You can’t perform that action at this time.