From 5365daf67f8b81f69a47e3692a71fd3962505e46 Mon Sep 17 00:00:00 2001 From: Michael Stahl Date: Mon, 6 Nov 2023 18:11:42 +0100 Subject: [PATCH] officecfg,*: add Office::Security::Net::AllowInsecureProtocols By default, unencrypted network connections are allowed. But now it can be disabled, for everything that uses libcurl. Change-Id: I8e103f5a968ace2a19fdb9d6934c9a51b2aeabe4 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159011 Tested-by: Jenkins Reviewed-by: Michael Stahl --- desktop/Library_crashreport.mk | 4 +++ extensions/Library_updchk.mk | 4 +++ include/curlinit.hxx | 31 +++++++++++++------ linguistic/Library_lng.mk | 4 +++ .../schema/org/openoffice/Office/Security.xcs | 11 +++++++ ucb/Library_ucpcmis1.mk | 4 +++ ucb/Library_ucpftp1.mk | 4 +++ ucb/source/ucp/webdav-curl/CurlSession.cxx | 13 +++++--- .../ucp/webdav-curl/DAVResourceAccess.cxx | 18 +++++++++-- 9 files changed, 76 insertions(+), 17 deletions(-) diff --git a/desktop/Library_crashreport.mk b/desktop/Library_crashreport.mk index ba267e212974..c00814c82cee 100644 --- a/desktop/Library_crashreport.mk +++ b/desktop/Library_crashreport.mk @@ -31,6 +31,10 @@ $(eval $(call gb_Library_add_libs,crashreport,\ $(eval $(call gb_Library_use_sdk_api,crashreport)) +$(eval $(call gb_Library_use_custom_headers,crashreport,\ + officecfg/registry \ +)) + $(eval $(call gb_Library_use_libraries,crashreport,\ comphelper \ cppu \ diff --git a/extensions/Library_updchk.mk b/extensions/Library_updchk.mk index 7088efa2c37b..85c0293231fa 100644 --- a/extensions/Library_updchk.mk +++ b/extensions/Library_updchk.mk @@ -18,6 +18,10 @@ $(eval $(call gb_Library_set_include,updchk,\ $(eval $(call gb_Library_use_sdk_api,updchk)) +$(eval $(call gb_Library_use_custom_headers,updchk,\ + officecfg/registry \ +)) + $(eval $(call gb_Library_use_libraries,updchk,\ comphelper \ cppuhelper \ diff --git a/include/curlinit.hxx b/include/curlinit.hxx index 8b3a9968419d..14f660b41efa 100644 --- a/include/curlinit.hxx +++ b/include/curlinit.hxx @@ -11,6 +11,8 @@ #include +#include + #if defined(LINUX) && !defined(SYSTEM_CURL) #include @@ -36,24 +38,33 @@ static char const* GetCABundleFile() throw css::uno::RuntimeException("no OpenSSL CA certificate bundle found"); } +#endif static void InitCurl_easy(CURL* const pCURL) { + CURLcode rc; + (void)rc; + +#if defined(LINUX) && !defined(SYSTEM_CURL) char const* const path = GetCABundleFile(); - auto rc = curl_easy_setopt(pCURL, CURLOPT_CAINFO, path); + rc = curl_easy_setopt(pCURL, CURLOPT_CAINFO, path); if (rc != CURLE_OK) // only if OOM? { throw css::uno::RuntimeException("CURLOPT_CAINFO failed"); } -} - -#else - -static void InitCurl_easy(CURL* const) -{ - // these don't use OpenSSL so CAs work out of the box -} - #endif + if (!officecfg::Office::Security::Net::AllowInsecureProtocols::get()) + { + rc = curl_easy_setopt(pCURL, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2); + assert(rc == CURLE_OK); + rc = curl_easy_setopt(pCURL, CURLOPT_PROXY_SSLVERSION, CURL_SSLVERSION_TLSv1_2); + assert(rc == CURLE_OK); + rc = curl_easy_setopt(pCURL, CURLOPT_PROTOCOLS_STR, "https"); + assert(rc == CURLE_OK); + rc = curl_easy_setopt(pCURL, CURLOPT_REDIR_PROTOCOLS_STR, "https"); + assert(rc == CURLE_OK); + } +} + /* vim:set shiftwidth=4 softtabstop=4 expandtab cinoptions=b1,g0,N-s cinkeys+=0=break: */ diff --git a/linguistic/Library_lng.mk b/linguistic/Library_lng.mk index 49c37b807685..4991163ed070 100644 --- a/linguistic/Library_lng.mk +++ b/linguistic/Library_lng.mk @@ -28,6 +28,10 @@ $(eval $(call gb_Library_set_include,lng,\ $(eval $(call gb_Library_use_sdk_api,lng)) +$(eval $(call gb_Library_use_custom_headers,lng,\ + officecfg/registry \ +)) + $(eval $(call gb_Library_add_defs,lng,\ -DLNG_DLLIMPLEMENTATION \ )) diff --git a/officecfg/registry/schema/org/openoffice/Office/Security.xcs b/officecfg/registry/schema/org/openoffice/Office/Security.xcs index f474df6def51..4cb9073012f5 100644 --- a/officecfg/registry/schema/org/openoffice/Office/Security.xcs +++ b/officecfg/registry/schema/org/openoffice/Office/Security.xcs @@ -44,5 +44,16 @@ true + + + Specifies how secure hyperlinks are processed. + + + + Allow using insecure and/or unencrypted protocols such as HTTP, SMTP, FTP. + + true + + diff --git a/ucb/Library_ucpcmis1.mk b/ucb/Library_ucpcmis1.mk index f18f9e04aad5..707d9ff604a4 100644 --- a/ucb/Library_ucpcmis1.mk +++ b/ucb/Library_ucpcmis1.mk @@ -14,6 +14,10 @@ $(eval $(call gb_Library_set_componentfile,ucpcmis1,ucb/source/ucp/cmis/ucpcmis1 $(eval $(call gb_Library_use_sdk_api,ucpcmis1)) +$(eval $(call gb_Library_use_custom_headers,ucpcmis1,\ + officecfg/registry \ +)) + $(eval $(call gb_Library_use_libraries,ucpcmis1,\ comphelper \ cppu \ diff --git a/ucb/Library_ucpftp1.mk b/ucb/Library_ucpftp1.mk index af8eda87f558..a6ac6c69f69b 100644 --- a/ucb/Library_ucpftp1.mk +++ b/ucb/Library_ucpftp1.mk @@ -16,6 +16,10 @@ $(eval $(call gb_Library_use_external,ucpftp1,boost_headers)) $(eval $(call gb_Library_use_sdk_api,ucpftp1)) +$(eval $(call gb_Library_use_custom_headers,ucpftp1,\ + officecfg/registry \ +)) + $(eval $(call gb_Library_use_libraries,ucpftp1,\ comphelper \ cppu \ diff --git a/ucb/source/ucp/webdav-curl/CurlSession.cxx b/ucb/source/ucp/webdav-curl/CurlSession.cxx index 1d85d5df0ca5..cc37f0b4da77 100644 --- a/ucb/source/ucp/webdav-curl/CurlSession.cxx +++ b/ucb/source/ucp/webdav-curl/CurlSession.cxx @@ -23,6 +23,7 @@ #include #include +#include #include #include @@ -682,15 +683,19 @@ CurlSession::CurlSession(uno::Reference xContext, rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_HEADERFUNCTION, &header_callback); assert(rc == CURLE_OK); ::InitCurl_easy(m_pCurl.get()); + if (officecfg::Office::Security::Net::AllowInsecureProtocols::get()) + { // tdf#149921 by default, with schannel (WNT) connection fails if revocation // lists cannot be checked; try to limit the checking to when revocation // lists can actually be retrieved (usually not the case for self-signed CA) #if CURL_AT_LEAST_VERSION(7, 70, 0) - rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_SSL_OPTIONS, CURLSSLOPT_REVOKE_BEST_EFFORT); - assert(rc == CURLE_OK); - rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_PROXY_SSL_OPTIONS, CURLSSLOPT_REVOKE_BEST_EFFORT); - assert(rc == CURLE_OK); + rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_SSL_OPTIONS, CURLSSLOPT_REVOKE_BEST_EFFORT); + assert(rc == CURLE_OK); + rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_PROXY_SSL_OPTIONS, + CURLSSLOPT_REVOKE_BEST_EFFORT); + assert(rc == CURLE_OK); #endif + } // set this initially, may be overwritten during authentication rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_HTTPAUTH, CURLAUTH_ANY); assert(rc == CURLE_OK); // ANY is always available diff --git a/ucb/source/ucp/webdav-curl/DAVResourceAccess.cxx b/ucb/source/ucp/webdav-curl/DAVResourceAccess.cxx index fa324b0493e9..c1b775c08f70 100644 --- a/ucb/source/ucp/webdav-curl/DAVResourceAccess.cxx +++ b/ucb/source/ucp/webdav-curl/DAVResourceAccess.cxx @@ -26,6 +26,9 @@ #include "DAVAuthListenerImpl.hxx" #include "DAVResourceAccess.hxx" +#include "webdavprovider.hxx" + +#include #include #include @@ -1005,7 +1008,17 @@ void DAVResourceAccess::initialize() osl::Guard< osl::Mutex > aGuard( m_aMutex ); if ( m_aPath.isEmpty() ) { - CurlUri const aURI( m_aURL ); + CurlUri aURI(m_aURL); + assert(aURI.GetScheme() == HTTP_URL_SCHEME || aURI.GetScheme() == HTTPS_URL_SCHEME); + if (aURI.GetScheme() == HTTP_URL_SCHEME) + { + if (!officecfg::Office::Security::Net::AllowInsecureProtocols::get()) + { + // "http" not allowed -> immediately redirect to "https", + // better than showing confusing error to user + aURI.SetScheme(HTTPS_URL_SCHEME); + } + } OUString aPath( aURI.GetRelativeReference() ); /* #134089# - Check URI */ @@ -1021,8 +1034,7 @@ void DAVResourceAccess::initialize() m_xSession.clear(); // create new webdav session - m_xSession - = m_xSessionFactory->createDAVSession( m_aURL, m_aFlags, m_xContext ); + m_xSession = m_xSessionFactory->createDAVSession(aURI.GetURI(), m_aFlags, m_xContext); if ( !m_xSession.is() ) return;