officecfg,*: add Office::Security::Net::AllowInsecureProtocols

By default, unencrypted network connections are allowed. But now it can be disabled, for everything that uses libcurl. Change-Id: I8e103f5a968ace2a19fdb9d6934c9a51b2aeabe4 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159011 Tested-by: Jenkins Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
2023-11-06 18:11:42 +01:00 · 2023-11-06 18:11:42 +01:00 · 5365daf67f
commit 5365daf67f
parent c32bf48b74
9 changed files with 76 additions and 17 deletions
--- a/desktop/Library_crashreport.mk
+++ b/desktop/Library_crashreport.mk
@ -31,6 +31,10 @@ $(eval $(call gb_Library_add_libs,crashreport,\

 $(eval $(call gb_Library_use_sdk_api,crashreport))

+$(eval $(call gb_Library_use_custom_headers,crashreport,\
+	officecfg/registry \
+))
+
 $(eval $(call gb_Library_use_libraries,crashreport,\
    comphelper \
    cppu \
--- a/extensions/Library_updchk.mk
+++ b/extensions/Library_updchk.mk
@ -18,6 +18,10 @@ $(eval $(call gb_Library_set_include,updchk,\

 $(eval $(call gb_Library_use_sdk_api,updchk))

+$(eval $(call gb_Library_use_custom_headers,updchk,\
+	officecfg/registry \
+))
+
 $(eval $(call gb_Library_use_libraries,updchk,\
 	comphelper \
 	cppuhelper \
--- a/include/curlinit.hxx
+++ b/include/curlinit.hxx
@ -11,6 +11,8 @@

 #include <curl/curl.h>

+#include <officecfg/Office/Security.hxx>
+
 #if defined(LINUX) && !defined(SYSTEM_CURL)
 #include <com/sun/star/uno/RuntimeException.hpp>

@ -36,24 +38,33 @@ static char const* GetCABundleFile()

    throw css::uno::RuntimeException("no OpenSSL CA certificate bundle found");
 }
+#endif

 static void InitCurl_easy(CURL* const pCURL)
 {
+    CURLcode rc;
+    (void)rc;
+
+#if defined(LINUX) && !defined(SYSTEM_CURL)
    char const* const path = GetCABundleFile();
-    auto rc = curl_easy_setopt(pCURL, CURLOPT_CAINFO, path);
+    rc = curl_easy_setopt(pCURL, CURLOPT_CAINFO, path);
    if (rc != CURLE_OK) // only if OOM?
    {
        throw css::uno::RuntimeException("CURLOPT_CAINFO failed");
    }
-}
-
-#else
-
-static void InitCurl_easy(CURL* const)
-{
-    // these don't use OpenSSL so CAs work out of the box
-}
-
 #endif

+    if (!officecfg::Office::Security::Net::AllowInsecureProtocols::get())
+    {
+        rc = curl_easy_setopt(pCURL, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
+        assert(rc == CURLE_OK);
+        rc = curl_easy_setopt(pCURL, CURLOPT_PROXY_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
+        assert(rc == CURLE_OK);
+        rc = curl_easy_setopt(pCURL, CURLOPT_PROTOCOLS_STR, "https");
+        assert(rc == CURLE_OK);
+        rc = curl_easy_setopt(pCURL, CURLOPT_REDIR_PROTOCOLS_STR, "https");
+        assert(rc == CURLE_OK);
+    }
+}
+
 /* vim:set shiftwidth=4 softtabstop=4 expandtab cinoptions=b1,g0,N-s cinkeys+=0=break: */
--- a/linguistic/Library_lng.mk
+++ b/linguistic/Library_lng.mk
@ -28,6 +28,10 @@ $(eval $(call gb_Library_set_include,lng,\

 $(eval $(call gb_Library_use_sdk_api,lng))

+$(eval $(call gb_Library_use_custom_headers,lng,\
+	officecfg/registry \
+))
+
 $(eval $(call gb_Library_add_defs,lng,\
 	-DLNG_DLLIMPLEMENTATION \
 ))
--- a/officecfg/registry/schema/org/openoffice/Office/Security.xcs
+++ b/officecfg/registry/schema/org/openoffice/Office/Security.xcs
@ -44,5 +44,16 @@
        <value>true</value>
      </prop>
    </group>
+    <group oor:name="Net">
+      <info>
+        <desc>Specifies how secure hyperlinks are processed.</desc>
+      </info>
+      <prop oor:name="AllowInsecureProtocols" oor:type="xs:boolean" oor:nillable="false">
+        <info>
+          <desc>Allow using insecure and/or unencrypted protocols such as HTTP, SMTP, FTP.</desc>
+        </info>
+        <value>true</value>
+      </prop>
+    </group>
  </component>
 </oor:component-schema>
--- a/ucb/Library_ucpcmis1.mk
+++ b/ucb/Library_ucpcmis1.mk
@ -14,6 +14,10 @@ $(eval $(call gb_Library_set_componentfile,ucpcmis1,ucb/source/ucp/cmis/ucpcmis1

 $(eval $(call gb_Library_use_sdk_api,ucpcmis1))

+$(eval $(call gb_Library_use_custom_headers,ucpcmis1,\
+	officecfg/registry \
+))
+
 $(eval $(call gb_Library_use_libraries,ucpcmis1,\
 	comphelper \
 	cppu \
--- a/ucb/Library_ucpftp1.mk
+++ b/ucb/Library_ucpftp1.mk
@ -16,6 +16,10 @@ $(eval $(call gb_Library_use_external,ucpftp1,boost_headers))

 $(eval $(call gb_Library_use_sdk_api,ucpftp1))

+$(eval $(call gb_Library_use_custom_headers,ucpftp1,\
+	officecfg/registry \
+))
+
 $(eval $(call gb_Library_use_libraries,ucpftp1,\
 	comphelper \
 	cppu \
--- a/ucb/source/ucp/webdav-curl/CurlSession.cxx
+++ b/ucb/source/ucp/webdav-curl/CurlSession.cxx
@ -23,6 +23,7 @@
 #include <o3tl/string_view.hxx>

 #include <officecfg/Inet.hxx>
+#include <officecfg/Office/Security.hxx>

 #include <com/sun/star/beans/NamedValue.hpp>
 #include <com/sun/star/io/Pipe.hpp>
@ -682,15 +683,19 @@ CurlSession::CurlSession(uno::Reference<uno::XComponentContext> xContext,
    rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_HEADERFUNCTION, &header_callback);
    assert(rc == CURLE_OK);
    ::InitCurl_easy(m_pCurl.get());
+    if (officecfg::Office::Security::Net::AllowInsecureProtocols::get())
+    {
    // tdf#149921 by default, with schannel (WNT) connection fails if revocation
    // lists cannot be checked; try to limit the checking to when revocation
    // lists can actually be retrieved (usually not the case for self-signed CA)
 #if CURL_AT_LEAST_VERSION(7, 70, 0)
-    rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_SSL_OPTIONS, CURLSSLOPT_REVOKE_BEST_EFFORT);
-    assert(rc == CURLE_OK);
-    rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_PROXY_SSL_OPTIONS, CURLSSLOPT_REVOKE_BEST_EFFORT);
-    assert(rc == CURLE_OK);
+        rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_SSL_OPTIONS, CURLSSLOPT_REVOKE_BEST_EFFORT);
+        assert(rc == CURLE_OK);
+        rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_PROXY_SSL_OPTIONS,
+                              CURLSSLOPT_REVOKE_BEST_EFFORT);
+        assert(rc == CURLE_OK);
 #endif
+    }
    // set this initially, may be overwritten during authentication
    rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_HTTPAUTH, CURLAUTH_ANY);
    assert(rc == CURLE_OK); // ANY is always available
--- a/ucb/source/ucp/webdav-curl/DAVResourceAccess.cxx
+++ b/ucb/source/ucp/webdav-curl/DAVResourceAccess.cxx
@ -26,6 +26,9 @@

 #include "DAVAuthListenerImpl.hxx"
 #include "DAVResourceAccess.hxx"
+#include "webdavprovider.hxx"
+
+#include <officecfg/Office/Security.hxx>

 #include <com/sun/star/lang/IllegalArgumentException.hpp>
 #include <com/sun/star/io/IOException.hpp>
@ -1005,7 +1008,17 @@ void DAVResourceAccess::initialize()
    osl::Guard< osl::Mutex > aGuard( m_aMutex );
    if ( m_aPath.isEmpty() )
    {
-        CurlUri const aURI( m_aURL );
+        CurlUri aURI(m_aURL);
+        assert(aURI.GetScheme() == HTTP_URL_SCHEME || aURI.GetScheme() == HTTPS_URL_SCHEME);
+        if (aURI.GetScheme() == HTTP_URL_SCHEME)
+        {
+            if (!officecfg::Office::Security::Net::AllowInsecureProtocols::get())
+            {
+                // "http" not allowed -> immediately redirect to "https",
+                // better than showing confusing error to user
+                aURI.SetScheme(HTTPS_URL_SCHEME);
+            }
+        }
        OUString aPath( aURI.GetRelativeReference() );

        /* #134089# - Check URI */
@ -1021,8 +1034,7 @@ void DAVResourceAccess::initialize()
            m_xSession.clear();

            // create new webdav session
-            m_xSession
-                = m_xSessionFactory->createDAVSession( m_aURL, m_aFlags, m_xContext );
+            m_xSession = m_xSessionFactory->createDAVSession(aURI.GetURI(), m_aFlags, m_xContext);

            if ( !m_xSession.is() )
                return;