officecfg,*: add Office::Security::Net::AllowInsecureProtocols
By default, unencrypted network connections are allowed.
But now it can be disabled, for everything that uses libcurl.
Change-Id: I8e103f5a968ace2a19fdb9d6934c9a51b2aeabe4
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159011
Tested-by: Jenkins
Reviewed-by: Michael Stahl <[email protected]>
diff --git a/desktop/Library_crashreport.mk b/desktop/Library_crashreport.mk
index ba267e2..c00814c 100644
--- a/desktop/Library_crashreport.mk
+++ b/desktop/Library_crashreport.mk
@@ -31,6 +31,10 @@ $(eval $(call gb_Library_add_libs,crashreport,\
$(eval $(call gb_Library_use_sdk_api,crashreport))
$(eval $(call gb_Library_use_custom_headers,crashreport,\
officecfg/registry \
))
$(eval $(call gb_Library_use_libraries,crashreport,\
comphelper \
cppu \
diff --git a/extensions/Library_updchk.mk b/extensions/Library_updchk.mk
index 7088efa..85c0293 100644
--- a/extensions/Library_updchk.mk
+++ b/extensions/Library_updchk.mk
@@ -18,6 +18,10 @@ $(eval $(call gb_Library_set_include,updchk,\
$(eval $(call gb_Library_use_sdk_api,updchk))
$(eval $(call gb_Library_use_custom_headers,updchk,\
officecfg/registry \
))
$(eval $(call gb_Library_use_libraries,updchk,\
comphelper \
cppuhelper \
diff --git a/include/curlinit.hxx b/include/curlinit.hxx
index 8b3a99684..14f660b 100644
--- a/include/curlinit.hxx
+++ b/include/curlinit.hxx
@@ -11,6 +11,8 @@
#include <curl/curl.h>
#include <officecfg/Office/Security.hxx>
#if defined(LINUX) && !defined(SYSTEM_CURL)
#include <com/sun/star/uno/RuntimeException.hpp>
@@ -36,24 +38,33 @@ static char const* GetCABundleFile()
throw css::uno::RuntimeException("no OpenSSL CA certificate bundle found");
}
#endif
static void InitCurl_easy(CURL* const pCURL)
{
CURLcode rc;
(void)rc;
#if defined(LINUX) && !defined(SYSTEM_CURL)
char const* const path = GetCABundleFile();
auto rc = curl_easy_setopt(pCURL, CURLOPT_CAINFO, path);
rc = curl_easy_setopt(pCURL, CURLOPT_CAINFO, path);
if (rc != CURLE_OK) // only if OOM?
{
throw css::uno::RuntimeException("CURLOPT_CAINFO failed");
}
}
#else
static void InitCurl_easy(CURL* const)
{
// these don't use OpenSSL so CAs work out of the box
}
#endif
if (!officecfg::Office::Security::Net::AllowInsecureProtocols::get())
{
rc = curl_easy_setopt(pCURL, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
assert(rc == CURLE_OK);
rc = curl_easy_setopt(pCURL, CURLOPT_PROXY_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
assert(rc == CURLE_OK);
rc = curl_easy_setopt(pCURL, CURLOPT_PROTOCOLS_STR, "https");
assert(rc == CURLE_OK);
rc = curl_easy_setopt(pCURL, CURLOPT_REDIR_PROTOCOLS_STR, "https");
assert(rc == CURLE_OK);
}
}
/* vim:set shiftwidth=4 softtabstop=4 expandtab cinoptions=b1,g0,N-s cinkeys+=0=break: */
diff --git a/linguistic/Library_lng.mk b/linguistic/Library_lng.mk
index 49c37b8..4991163 100644
--- a/linguistic/Library_lng.mk
+++ b/linguistic/Library_lng.mk
@@ -28,6 +28,10 @@ $(eval $(call gb_Library_set_include,lng,\
$(eval $(call gb_Library_use_sdk_api,lng))
$(eval $(call gb_Library_use_custom_headers,lng,\
officecfg/registry \
))
$(eval $(call gb_Library_add_defs,lng,\
-DLNG_DLLIMPLEMENTATION \
))
diff --git a/officecfg/registry/schema/org/openoffice/Office/Security.xcs b/officecfg/registry/schema/org/openoffice/Office/Security.xcs
index f474df6..4cb9073 100644
--- a/officecfg/registry/schema/org/openoffice/Office/Security.xcs
+++ b/officecfg/registry/schema/org/openoffice/Office/Security.xcs
@@ -44,5 +44,16 @@
<value>true</value>
</prop>
</group>
<group oor:name="Net">
<info>
<desc>Specifies how secure hyperlinks are processed.</desc>
</info>
<prop oor:name="AllowInsecureProtocols" oor:type="xs:boolean" oor:nillable="false">
<info>
<desc>Allow using insecure and/or unencrypted protocols such as HTTP, SMTP, FTP.</desc>
</info>
<value>true</value>
</prop>
</group>
</component>
</oor:component-schema>
diff --git a/ucb/Library_ucpcmis1.mk b/ucb/Library_ucpcmis1.mk
index f18f9e0..707d9ff 100644
--- a/ucb/Library_ucpcmis1.mk
+++ b/ucb/Library_ucpcmis1.mk
@@ -14,6 +14,10 @@ $(eval $(call gb_Library_set_componentfile,ucpcmis1,ucb/source/ucp/cmis/ucpcmis1
$(eval $(call gb_Library_use_sdk_api,ucpcmis1))
$(eval $(call gb_Library_use_custom_headers,ucpcmis1,\
officecfg/registry \
))
$(eval $(call gb_Library_use_libraries,ucpcmis1,\
comphelper \
cppu \
diff --git a/ucb/Library_ucpftp1.mk b/ucb/Library_ucpftp1.mk
index af8eda8..a6ac6c6 100644
--- a/ucb/Library_ucpftp1.mk
+++ b/ucb/Library_ucpftp1.mk
@@ -16,6 +16,10 @@ $(eval $(call gb_Library_use_external,ucpftp1,boost_headers))
$(eval $(call gb_Library_use_sdk_api,ucpftp1))
$(eval $(call gb_Library_use_custom_headers,ucpftp1,\
officecfg/registry \
))
$(eval $(call gb_Library_use_libraries,ucpftp1,\
comphelper \
cppu \
diff --git a/ucb/source/ucp/webdav-curl/CurlSession.cxx b/ucb/source/ucp/webdav-curl/CurlSession.cxx
index 1d85d5d..cc37f0b 100644
--- a/ucb/source/ucp/webdav-curl/CurlSession.cxx
+++ b/ucb/source/ucp/webdav-curl/CurlSession.cxx
@@ -23,6 +23,7 @@
#include <o3tl/string_view.hxx>
#include <officecfg/Inet.hxx>
#include <officecfg/Office/Security.hxx>
#include <com/sun/star/beans/NamedValue.hpp>
#include <com/sun/star/io/Pipe.hpp>
@@ -682,15 +683,19 @@ CurlSession::CurlSession(uno::Reference<uno::XComponentContext> xContext,
rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_HEADERFUNCTION, &header_callback);
assert(rc == CURLE_OK);
::InitCurl_easy(m_pCurl.get());
if (officecfg::Office::Security::Net::AllowInsecureProtocols::get())
{
// tdf#149921 by default, with schannel (WNT) connection fails if revocation
// lists cannot be checked; try to limit the checking to when revocation
// lists can actually be retrieved (usually not the case for self-signed CA)
#if CURL_AT_LEAST_VERSION(7, 70, 0)
rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_SSL_OPTIONS, CURLSSLOPT_REVOKE_BEST_EFFORT);
assert(rc == CURLE_OK);
rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_PROXY_SSL_OPTIONS, CURLSSLOPT_REVOKE_BEST_EFFORT);
assert(rc == CURLE_OK);
rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_SSL_OPTIONS, CURLSSLOPT_REVOKE_BEST_EFFORT);
assert(rc == CURLE_OK);
rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_PROXY_SSL_OPTIONS,
CURLSSLOPT_REVOKE_BEST_EFFORT);
assert(rc == CURLE_OK);
#endif
}
// set this initially, may be overwritten during authentication
rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_HTTPAUTH, CURLAUTH_ANY);
assert(rc == CURLE_OK); // ANY is always available
diff --git a/ucb/source/ucp/webdav-curl/DAVResourceAccess.cxx b/ucb/source/ucp/webdav-curl/DAVResourceAccess.cxx
index fa324b0..c1b775c 100644
--- a/ucb/source/ucp/webdav-curl/DAVResourceAccess.cxx
+++ b/ucb/source/ucp/webdav-curl/DAVResourceAccess.cxx
@@ -26,6 +26,9 @@
#include "DAVAuthListenerImpl.hxx"
#include "DAVResourceAccess.hxx"
#include "webdavprovider.hxx"
#include <officecfg/Office/Security.hxx>
#include <com/sun/star/lang/IllegalArgumentException.hpp>
#include <com/sun/star/io/IOException.hpp>
@@ -1005,7 +1008,17 @@ void DAVResourceAccess::initialize()
osl::Guard< osl::Mutex > aGuard( m_aMutex );
if ( m_aPath.isEmpty() )
{
CurlUri const aURI( m_aURL );
CurlUri aURI(m_aURL);
assert(aURI.GetScheme() == HTTP_URL_SCHEME || aURI.GetScheme() == HTTPS_URL_SCHEME);
if (aURI.GetScheme() == HTTP_URL_SCHEME)
{
if (!officecfg::Office::Security::Net::AllowInsecureProtocols::get())
{
// "http" not allowed -> immediately redirect to "https",
// better than showing confusing error to user
aURI.SetScheme(HTTPS_URL_SCHEME);
}
}
OUString aPath( aURI.GetRelativeReference() );
/* #134089# - Check URI */
@@ -1021,8 +1034,7 @@ void DAVResourceAccess::initialize()
m_xSession.clear();
// create new webdav session
m_xSession
= m_xSessionFactory->createDAVSession( m_aURL, m_aFlags, m_xContext );
m_xSession = m_xSessionFactory->createDAVSession(aURI.GetURI(), m_aFlags, m_xContext);
if ( !m_xSession.is() )
return;
