aboutsummaryrefslogblamecommitdiffstats
path: root/testing/py3-unoconv/CVE-2019-17400.patch
blob: ba1f8287b32f06200056f3ba7daf5599374f5a89 (plain) (tree)




















































































































                                                                                                                                         
From 467aa125cbe8f99346daeb2e94ce75c62f69c702 Mon Sep 17 00:00:00 2001
From: Samuel Erb <samrerb@erbbysam.com>
Date: Tue, 17 Sep 2019 12:22:12 -0400
Subject: [PATCH] change default updateDocMode behavior and add new option to
 keep old behavior (#510)

---
 unoconv | 51 ++++++++++++++++++++++++++++++---------------------
 1 file changed, 30 insertions(+), 21 deletions(-)

diff --git a/unoconv b/unoconv
index f844d0f..762dc85 100755
--- a/unoconv
+++ b/unoconv
@@ -543,6 +543,8 @@ class Options:
         self.template = None
         self.timeout = 6
         self.verbose = 0
+        self.userProfile = None
+        self.updateDocMode = NO_UPDATE
 
         self.setprinter = False
         self.paperformat = None
@@ -555,8 +557,8 @@ class Options:
                 ['connection=', 'debug', 'doctype=', 'export=', 'field=', 'format=',
                  'help', 'import=', 'import-filter-name=', 'listener', 'meta=', 'no-launch',
                  'output=', 'outputpath', 'password=', 'pipe=', 'port=', 'preserve',
-                 'server=', 'timeout=', 'show', 'stdin', 'stdout', 'template', 'printer=',
-                 'verbose', 'version'] )
+                 'server=', 'timeout=', 'user-profile=', 'show', 'stdin',
+                 'stdout', 'template', 'printer=', 'unsafe-quiet-update', 'verbose', 'version'] )
         except getopt.error as exc:
             print('unoconv: %s, try unoconv -h for a list of all the options' % str(exc))
             sys.exit(255)
@@ -646,6 +648,10 @@ class Options:
                 self.template = arg
             elif opt in ['-T', '--timeout']:
                 self.timeout = int(arg)
+            elif opt in ['--unsafe-quiet-update']:
+                # ref https://www.openoffice.org/api/docs/common/ref/com/sun/star/document/UpdateDocMode.html
+                print('Warning: Do not use the option --unsafe-quiet-update with untrusted input.')
+                self.updateDocMode = QUIET_UPDATE
             elif opt in ['-v', '--verbose']:
                 self.verbose = self.verbose + 1
             elif opt in ['-V', '--version']:
@@ -760,6 +766,7 @@ unoconv options:
       --stdout                        write output to stdout
   -t, --template=file                 import the styles from template (.ott)
   -T, --timeout=secs                  timeout after secs if connection to listener fails
+      --unsafe-quiet-update           allow rendered document to fetch external resources (Warning: this is unsafe with untrusted input)
   -v, --verbose                       be more and more verbose (-vvv for debugging)
       --version                       display version number of unoconv, OOo/LO and platform details
   -P, --printer                       printer options
@@ -930,7 +937,7 @@ class Convertor:
             phase = "import"
 
             ### Load inputfile
-            inputprops = UnoProps(Hidden=True, ReadOnly=True, UpdateDocMode=QUIET_UPDATE)
+            inputprops = UnoProps(Hidden=True, ReadOnly=True, UpdateDocMode=op.updateDocMode)
 
             if op.password:
                 inputprops += UnoProps(Password=op.password)
@@ -983,23 +990,25 @@ class Convertor:
 #            except AttributeError:
 #                pass
 
-            ### Update document links
-            phase = "update-links"
-            try:
-                document.updateLinks()
-                # Found that when converting HTML files with external images, OO would only load five or six of
-                # the images in the file. In the resulting document, the rest of the images did not appear. Cycling
-                # through all the image references in the document seems to force OO to actually load them. Found
-                # some helpful guidance in this thread:
-                # https://forum.openoffice.org/en/forum/viewtopic.php?f=30&t=23909
-                # Ideally we would like to have the option to embed the images into the document, but I have not been
-                # able to figure out how to do this yet.
-                graphObjs = document.GraphicObjects
-                for i in range(0, graphObjs.getCount()):
-                    graphObj = graphObjs.getByIndex(i)
-            except AttributeError:
-                # the document doesn't implement the XLinkUpdate interface
-                pass
+            ### Update document links if appropriate
+            if op.updateDocMode != NO_UPDATE:
+                phase = "update-links"
+                try:
+                    document.updateLinks()
+                    # Found that when converting HTML files with external images, OO would only load five or six of
+                    # the images in the file. In the resulting document, the rest of the images did not appear. Cycling
+                    # through all the image references in the document seems to force OO to actually load them. Found
+                    # some helpful guidance in this thread:
+                    # https://forum.openoffice.org/en/forum/viewtopic.php?f=30&t=23909
+                    # Ideally we would like to have the option to embed the images into the document, but I have not been
+                    # able to figure out how to do this yet.
+                    if op.updatehtmllinks:
+                        graphObjs = document.GraphicObjects
+                        for i in range(0, graphObjs.getCount()):
+                            graphObj = graphObjs.getByIndex(i)
+                except AttributeError:
+                    # the document doesn't implement the XLinkUpdate interface
+                    pass
 
             ### Add/Replace variables
             phase = "replace-fields"
@@ -1347,7 +1356,7 @@ if __name__ == '__main__':
     ### Now that we have found a working pyuno library, let's import some classes
     from com.sun.star.beans import PropertyValue
     from com.sun.star.connection import NoConnectException
-    from com.sun.star.document.UpdateDocMode import QUIET_UPDATE
+    from com.sun.star.document.UpdateDocMode import NO_UPDATE, QUIET_UPDATE
     from com.sun.star.lang import DisposedException, IllegalArgumentException
     from com.sun.star.io import IOException, XOutputStream
     from com.sun.star.script import CannotConvertException
-- 
2.23.0