diff --git a/changelog b/changelog index 5ecbffccd..4886ff8e1 100644 --- a/changelog +++ b/changelog @@ -1,3 +1,16 @@ +libreoffice (1:7.3.7-0ubuntu0.22.04.3) UNRELEASED; urgency=high + + * SECURITY UPDATE: Remote documents loaded without prompt via IFrame + - debian/patches/CVE-2023-2255-*.patch: multiple commits to fix + security issues. + - CVE-2023-2255 + * SECURITY UPDATE: Array Index UnderFlow in Calc Formula Parsing + - debian/patches/CVE-2023-0950.patch: Obtain actual 0-parameter count + for OR(), AND() and 1-parameter functions + - CVE-2023-0950 + + -- Rico Tzschichholz Thu, 25 May 2023 22:52:23 +0200 + libreoffice (1:7.3.7-0ubuntu0.22.04.2) jammy; urgency=medium * Cherry picked bug fixes release (LP: #2003335) diff --git a/patches/CVE-2023-0950.patch b/patches/CVE-2023-0950.patch new file mode 100644 index 000000000..ce1b32d08 --- /dev/null +++ b/patches/CVE-2023-0950.patch @@ -0,0 +1,86 @@ +From 29a32f6e405e6c8dfb9729a3d72e23dccdfa53a9 Mon Sep 17 00:00:00 2001 +From: Eike Rathke +Date: Thu, 16 Feb 2023 20:20:31 +0100 +Subject: [PATCH] Obtain actual 0-parameter count for OR(), AND() and + 1-parameter functions +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +OR and AND for legacy infix notation are classified as binary +operators but in fact are functions with parameter count. In case +no argument is supplied, GetByte() returns 0 and for that case the +implicit binary operator 2 parameters were wrongly assumed. +Similar for functions expecting 1 parameter, without argument 1 +was assumed. For "real" unary and binary operators the compiler +already checks parameters. Omit OR and AND and 1-parameter +functions from this implicit assumption and return the actual 0 +count. + +Change-Id: Ie05398c112a98021ac2875cf7b6de994aee9d882 +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/147173 +Reviewed-by: Eike Rathke +Tested-by: Jenkins +(cherry picked from commit e7ce9bddadb2db222eaa5f594ef1de2e36d57e5c) +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/147129 +Reviewed-by: Caolán McNamara +(cherry picked from commit d6599a2af131994487d2d9223a4fd32a8c3ddc49) +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/147235 +Tested-by: Jenkins CollaboraOffice +Reviewed-by: Andras Timar +--- + formula/source/core/api/token.cxx | 13 +++++-------- + sc/source/core/tool/interpr4.cxx | 10 +++++++++- + 2 files changed, 14 insertions(+), 9 deletions(-) + +diff --git a/formula/source/core/api/token.cxx b/formula/source/core/api/token.cxx +index a7d44f897a24..6e50ca011983 100644 +--- a/formula/source/core/api/token.cxx ++++ b/formula/source/core/api/token.cxx +@@ -93,17 +93,14 @@ sal_uInt8 FormulaToken::GetParamCount() const + return 0; // parameters and specials + // ocIf... jump commands not for FAP, have cByte then + //2do: bool parameter whether FAP or not? +- else if ( GetByte() ) ++ else if (GetByte()) + return GetByte(); // all functions, also ocExternal and ocMacro +- else if (SC_OPCODE_START_BIN_OP <= eOp && eOp < SC_OPCODE_STOP_BIN_OP) +- return 2; // binary +- else if ((SC_OPCODE_START_UN_OP <= eOp && eOp < SC_OPCODE_STOP_UN_OP) +- || eOp == ocPercentSign) +- return 1; // unary ++ else if (SC_OPCODE_START_BIN_OP <= eOp && eOp < SC_OPCODE_STOP_BIN_OP && eOp != ocAnd && eOp != ocOr) ++ return 2; // binary operators, compiler checked; OR and AND legacy but are functions ++ else if ((SC_OPCODE_START_UN_OP <= eOp && eOp < SC_OPCODE_STOP_UN_OP) || eOp == ocPercentSign) ++ return 1; // unary operators, compiler checked + else if (SC_OPCODE_START_NO_PAR <= eOp && eOp < SC_OPCODE_STOP_NO_PAR) + return 0; // no parameter +- else if (SC_OPCODE_START_1_PAR <= eOp && eOp < SC_OPCODE_STOP_1_PAR) +- return 1; // one parameter + else if (FormulaCompiler::IsOpCodeJumpCommand( eOp )) + return 1; // only the condition counts as parameter + else +diff --git a/sc/source/core/tool/interpr4.cxx b/sc/source/core/tool/interpr4.cxx +index f0dee4b21b63..d9ea8acd5c8e 100644 +--- a/sc/source/core/tool/interpr4.cxx ++++ b/sc/source/core/tool/interpr4.cxx +@@ -4011,7 +4011,15 @@ StackVar ScInterpreter::Interpret() + else if (sp >= pCur->GetParamCount()) + nStackBase = sp - pCur->GetParamCount(); + else +- nStackBase = sp; // underflow?!? ++ { ++ SAL_WARN("sc.core", "Stack anomaly at " << aPos.Format( ++ ScRefFlags::VALID | ScRefFlags::FORCE_DOC | ScRefFlags::TAB_3D, &mrDoc) ++ << " eOp: " << static_cast(eOp) ++ << " params: " << static_cast(pCur->GetParamCount()) ++ << " nStackBase: " << nStackBase << " sp: " << sp); ++ nStackBase = sp; ++ assert(!"underflow"); ++ } + } + + switch( eOp ) +-- +2.40.1 + diff --git a/patches/CVE-2023-2255-1.patch b/patches/CVE-2023-2255-1.patch new file mode 100644 index 000000000..9e948f387 --- /dev/null +++ b/patches/CVE-2023-2255-1.patch @@ -0,0 +1,73 @@ +From 7324709c452a7dc69716e67230625703795ada7e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= +Date: Tue, 11 Apr 2023 10:13:37 +0100 +Subject: [PATCH 1/3] set Referer on loading IFrames +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +so tools, options, security, options, +"block any links from document not..." +applies to their contents. + +Change-Id: I04839aea6b07a4a76ac147a85045939ccd9c3c79 +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/150221 +Tested-by: Jenkins +Reviewed-by: Caolán McNamara +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/150751 +Reviewed-by: Stephan Bergmann +(cherry picked from commit acff9ca0579333b45d10ae5f8cd48172f563dddd) +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/152095 +Tested-by: Caolán McNamara +Reviewed-by: Caolán McNamara +--- + sfx2/source/doc/iframe.cxx | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/sfx2/source/doc/iframe.cxx b/sfx2/source/doc/iframe.cxx +index 80e0c4e68457..050d5c3f9e0f 100644 +--- a/sfx2/source/doc/iframe.cxx ++++ b/sfx2/source/doc/iframe.cxx +@@ -38,6 +38,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -165,14 +166,19 @@ sal_Bool SAL_CALL IFrameObject::load( + uno::Reference < util::XURLTransformer > xTrans( util::URLTransformer::create( mxContext ) ); + xTrans->parseStrict( aTargetURL ); + ++ uno::Reference xParentFrame = xFrame->getCreator(); ++ SfxObjectShell* pDoc = SfxMacroLoader::GetObjectShell(xParentFrame); ++ + if (INetURLObject(aTargetURL.Complete).GetProtocol() == INetProtocol::Macro) + { +- uno::Reference xParentFrame = xFrame->getCreator(); +- SfxObjectShell* pDoc = SfxMacroLoader::GetObjectShell(xParentFrame); + if (pDoc && !pDoc->AdjustMacroMode()) + return false; + } + ++ OUString sReferer; ++ if (pDoc && pDoc->HasName()) ++ sReferer = pDoc->GetMedium()->GetName(); ++ + DBG_ASSERT( !mxFrame.is(), "Frame already existing!" ); + VclPtr pParent = VCLUnoHelper::GetWindow( xFrame->getContainerWindow() ); + VclPtr pWin = VclPtr::Create( pParent, maFrmDescr.IsFrameBorderOn() ); +@@ -197,7 +203,8 @@ sal_Bool SAL_CALL IFrameObject::load( + + uno::Sequence < beans::PropertyValue > aProps{ + comphelper::makePropertyValue("PluginMode", sal_Int16(2)), +- comphelper::makePropertyValue("ReadOnly", true) ++ comphelper::makePropertyValue("ReadOnly", true), ++ comphelper::makePropertyValue("Referer", sReferer) + }; + uno::Reference < frame::XDispatch > xDisp = mxFrame->queryDispatch( aTargetURL, "_self", 0 ); + if ( xDisp.is() ) +-- +2.40.1 + diff --git a/patches/CVE-2023-2255-2.patch b/patches/CVE-2023-2255-2.patch new file mode 100644 index 000000000..ab4043248 --- /dev/null +++ b/patches/CVE-2023-2255-2.patch @@ -0,0 +1,899 @@ +From b41ef0dfc9e061589fa35c73ec942c0b598be3d4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= +Date: Thu, 13 Apr 2023 11:31:17 +0100 +Subject: [PATCH 2/3] put floating frames under managed links control +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +like we do for sections and ole objects that link to their content + +individual commits in trunk are: + +extract a OCommonEmbeddedObject::SetInplaceActiveState for reuse + +no behaviour change intended + +Change-Id: Ia1d12aa5c9afdc1347f6d4364bc6a0b7f41ee168 +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/150341 +Tested-by: Caolán McNamara +Reviewed-by: Caolán McNamara +(cherry picked from commit 183e34a3f8c429c0698951e24c17844e416a3825) + +use parent window as dialog parent + +it makes no odds, but is more convenient for upcoming modification + +Change-Id: Ibc5333b137d2da089b3b701ff615c6ddf43063d0 +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/150342 +Tested-by: Caolán McNamara +Reviewed-by: Caolán McNamara +(cherry picked from commit f93edf343658abd489bde3639d2ffaefd50c0f99) + +adjust IFrameObject so it could reuse mxFrame for a reload of content + +Change-Id: I7eec3132a23faafd9a2878215a0a117a67bc9bf2 +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/150343 +Tested-by: Caolán McNamara +Reviewed-by: Caolán McNamara +(cherry picked from commit 3a727d26fd9eb6fa140bc3f5cadf3db079d42206) + +query getUserAllowsLinkUpdate for the case of content in a floating frame + +similarly to how it works for the more common "normal" embedded objects + +Change-Id: I83e38dfa2f84907c2de9680e91f779d34864a9ad +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/149971 +Tested-by: Jenkins +Reviewed-by: Caolán McNamara +(cherry picked from commit 52aa46468531918eabfa2031dedf50377ae72cf7) + +add a route to get writer Floating Frame links under 'manage links' + +Change-Id: If90ff71d6a96342574799312f764badaf97980eb +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/150349 +Tested-by: Jenkins +Reviewed-by: Caolán McNamara +(cherry picked from commit 8b8a2844addbd262befb1a2d193dfb590dfa20be) + +allow SvxOle2Shape::resetModifiedState to survive having no SdrObject + +Change-Id: Iea059262c124e3f44249e49b4189732310d28156 +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/150538 +Tested-by: Jenkins +Reviewed-by: Caolán McNamara +(cherry picked from commit 02379929bd0e1d1676635f0ca1920422702ebb7c) + +create the FloatingFrameShape in a separate step to inserting it + +this is derived from the path taken by the AddShape(const OUString&) +function for this case. No change in behavior is intended. + +Change-Id: Id09ae0c65a55a37743ad7c184070fb8dd97d8a7f +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/150526 +Tested-by: Jenkins +Reviewed-by: Caolán McNamara +(cherry picked from commit bafec47847a0b9697b3bbe9358e53f8118af3024) + +add a route to get calc Floating Frame links under 'manage links' + +much harder than writer because the organization and ordering +of properties and object activation etc is different. + +This ended up ugly, but functions. + +We set FrameURL before AddShape, we have to do it again later because it +gets cleared when the SdrOle2Obj is attached to the XShape. But we want +FrameURL to exist when AddShape triggers SetPersistName which itself +triggers SdrOle2Obj::CheckFileLink_Impl and at that point we want to +know what URL will end up being used. So bodge this by setting FrameURL +to the temp pre-SdrOle2Obj attached properties and we can smuggle it +eventually into SdrOle2Obj::SetPersistName at the right point after +PersistName is set but before SdrOle2Obj::CheckFileLink_Impl is called +in order to inform the link manager that this is an IFrame that links to +a URL + +Change-Id: I67fc199fef9e67fa12ca7873f0fe12137aa16d8f +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/150539 +Tested-by: Jenkins +Reviewed-by: Caolán McNamara +(cherry picked from commit 07179a5a5bd00f34acfa8a3f260dd834ae003c63) +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/150755 +Reviewed-by: Michael Stahl +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/152118 +Tested-by: Jenkins CollaboraOffice +Reviewed-by: Andras Timar +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/152146 +Tested-by: Caolán McNamara +Reviewed-by: Caolán McNamara +--- + .../source/commonembedding/embedobj.cxx | 60 +++++----- + .../source/commonembedding/specialobject.cxx | 9 ++ + embeddedobj/source/inc/commonembobj.hxx | 3 + + embeddedobj/source/inc/specialobject.hxx | 6 + + include/svx/svdoole2.hxx | 17 ++- + include/svx/unoshape.hxx | 2 + + sc/source/ui/docshell/documentlinkmgr.cxx | 9 +- + sfx2/source/doc/iframe.cxx | 55 +++++---- + svx/source/svdraw/svdoole2.cxx | 104 +++++++++++++++--- + svx/source/unodraw/shapeimpl.hxx | 5 + + svx/source/unodraw/unoshap4.cxx | 23 +++- + sw/inc/ndole.hxx | 4 +- + sw/source/core/ole/ndole.cxx | 89 +++++++++++++-- + xmloff/source/draw/ximpshap.cxx | 29 ++++- + xmloff/source/draw/ximpshap.hxx | 2 + + 15 files changed, 331 insertions(+), 86 deletions(-) + +diff --git a/embeddedobj/source/commonembedding/embedobj.cxx b/embeddedobj/source/commonembedding/embedobj.cxx +index 223f25e6302c..1f13338b9436 100644 +--- a/embeddedobj/source/commonembedding/embedobj.cxx ++++ b/embeddedobj/source/commonembedding/embedobj.cxx +@@ -161,6 +161,37 @@ void OCommonEmbeddedObject::StateChangeNotification_Impl( bool bBeforeChange, sa + rGuard.reset(); + } + ++void OCommonEmbeddedObject::SetInplaceActiveState() ++{ ++ if ( !m_xClientSite.is() ) ++ throw embed::WrongStateException( "client site not set, yet", *this ); ++ ++ uno::Reference< embed::XInplaceClient > xInplaceClient( m_xClientSite, uno::UNO_QUERY ); ++ if ( !xInplaceClient.is() || !xInplaceClient->canInplaceActivate() ) ++ throw embed::WrongStateException(); //TODO: can't activate inplace ++ xInplaceClient->activatingInplace(); ++ ++ uno::Reference< embed::XWindowSupplier > xClientWindowSupplier( xInplaceClient, uno::UNO_QUERY_THROW ); ++ ++ m_xClientWindow = xClientWindowSupplier->getWindow(); ++ m_aOwnRectangle = xInplaceClient->getPlacement(); ++ m_aClipRectangle = xInplaceClient->getClipRectangle(); ++ awt::Rectangle aRectangleToShow = GetRectangleInterception( m_aOwnRectangle, m_aClipRectangle ); ++ ++ // create own window based on the client window ++ // place and resize the window according to the rectangles ++ uno::Reference< awt::XWindowPeer > xClientWindowPeer( m_xClientWindow, uno::UNO_QUERY_THROW ); ++ ++ // dispatch provider may not be provided ++ uno::Reference< frame::XDispatchProvider > xContainerDP = xInplaceClient->getInplaceDispatchProvider(); ++ bool bOk = m_xDocHolder->ShowInplace( xClientWindowPeer, aRectangleToShow, xContainerDP ); ++ m_nObjectState = embed::EmbedStates::INPLACE_ACTIVE; ++ if ( !bOk ) ++ { ++ SwitchStateTo_Impl( embed::EmbedStates::RUNNING ); ++ throw embed::WrongStateException(); //TODO: can't activate inplace ++ } ++} + + void OCommonEmbeddedObject::SwitchStateTo_Impl( sal_Int32 nNextState ) + { +@@ -234,34 +265,7 @@ void OCommonEmbeddedObject::SwitchStateTo_Impl( sal_Int32 nNextState ) + { + if ( nNextState == embed::EmbedStates::INPLACE_ACTIVE ) + { +- if ( !m_xClientSite.is() ) +- throw embed::WrongStateException( "client site not set, yet", *this ); +- +- uno::Reference< embed::XInplaceClient > xInplaceClient( m_xClientSite, uno::UNO_QUERY ); +- if ( !xInplaceClient.is() || !xInplaceClient->canInplaceActivate() ) +- throw embed::WrongStateException(); //TODO: can't activate inplace +- xInplaceClient->activatingInplace(); +- +- uno::Reference< embed::XWindowSupplier > xClientWindowSupplier( xInplaceClient, uno::UNO_QUERY_THROW ); +- +- m_xClientWindow = xClientWindowSupplier->getWindow(); +- m_aOwnRectangle = xInplaceClient->getPlacement(); +- m_aClipRectangle = xInplaceClient->getClipRectangle(); +- awt::Rectangle aRectangleToShow = GetRectangleInterception( m_aOwnRectangle, m_aClipRectangle ); +- +- // create own window based on the client window +- // place and resize the window according to the rectangles +- uno::Reference< awt::XWindowPeer > xClientWindowPeer( m_xClientWindow, uno::UNO_QUERY_THROW ); +- +- // dispatch provider may not be provided +- uno::Reference< frame::XDispatchProvider > xContainerDP = xInplaceClient->getInplaceDispatchProvider(); +- bool bOk = m_xDocHolder->ShowInplace( xClientWindowPeer, aRectangleToShow, xContainerDP ); +- m_nObjectState = nNextState; +- if ( !bOk ) +- { +- SwitchStateTo_Impl( embed::EmbedStates::RUNNING ); +- throw embed::WrongStateException(); //TODO: can't activate inplace +- } ++ SetInplaceActiveState(); + } + else if ( nNextState == embed::EmbedStates::ACTIVE ) + { +diff --git a/embeddedobj/source/commonembedding/specialobject.cxx b/embeddedobj/source/commonembedding/specialobject.cxx +index 809ffce1f2c4..3dc1eb7e47ef 100644 +--- a/embeddedobj/source/commonembedding/specialobject.cxx ++++ b/embeddedobj/source/commonembedding/specialobject.cxx +@@ -48,6 +48,7 @@ uno::Any SAL_CALL OSpecialEmbeddedObject::queryInterface( const uno::Type& rType + uno::Any aReturn = ::cppu::queryInterface( rType, + static_cast< embed::XEmbeddedObject* >( this ), + static_cast< embed::XInplaceObject* >( this ), ++ static_cast< embed::XCommonEmbedPersist* >( static_cast< embed::XEmbedPersist* >( this ) ), + static_cast< embed::XVisualObject* >( this ), + static_cast< embed::XClassifiedObject* >( this ), + static_cast< embed::XComponentSupplier* >( this ), +@@ -163,6 +164,14 @@ void SAL_CALL OSpecialEmbeddedObject::doVerb( sal_Int32 nVerbID ) + OCommonEmbeddedObject::doVerb( nVerbID ); + } + ++void SAL_CALL OSpecialEmbeddedObject::reload( ++ const uno::Sequence< beans::PropertyValue >&, ++ const uno::Sequence< beans::PropertyValue >&) ++{ ++ // Allow IFrames to reload their content ++ SetInplaceActiveState(); ++} ++ + OUString SAL_CALL OSpecialEmbeddedObject::getImplementationName() + { + return "com.sun.star.comp.embed.OSpecialEmbeddedObject"; +diff --git a/embeddedobj/source/inc/commonembobj.hxx b/embeddedobj/source/inc/commonembobj.hxx +index 785a28eaf0fd..d8f4b17f106c 100644 +--- a/embeddedobj/source/inc/commonembobj.hxx ++++ b/embeddedobj/source/inc/commonembobj.hxx +@@ -237,6 +237,9 @@ private: + const css::uno::Sequence< css::beans::PropertyValue >& lArguments, + const css::uno::Sequence< css::beans::PropertyValue >& lObjArgs ); + ++protected: ++ void SetInplaceActiveState(); ++ + public: + OCommonEmbeddedObject( + const css::uno::Reference< css::uno::XComponentContext >& rxContext, +diff --git a/embeddedobj/source/inc/specialobject.hxx b/embeddedobj/source/inc/specialobject.hxx +index 48d1d872a2a2..9ec0d7d86465 100644 +--- a/embeddedobj/source/inc/specialobject.hxx ++++ b/embeddedobj/source/inc/specialobject.hxx +@@ -48,6 +48,12 @@ public: + + virtual void SAL_CALL doVerb( sal_Int32 nVerbID ) override; + ++// XCommonEmbedPersist ++ ++ virtual void SAL_CALL reload( ++ const css::uno::Sequence< css::beans::PropertyValue >& lArguments, ++ const css::uno::Sequence< css::beans::PropertyValue >& lObjArgs ) override; ++ + // XServiceInfo + OUString SAL_CALL getImplementationName() override; + sal_Bool SAL_CALL supportsService( const OUString& ServiceName ) override; +diff --git a/include/svx/svdoole2.hxx b/include/svx/svdoole2.hxx +index ae6ff818bdf6..522bead958e6 100644 +--- a/include/svx/svdoole2.hxx ++++ b/include/svx/svdoole2.hxx +@@ -42,6 +42,7 @@ namespace io { class XInputStream; } + namespace svt { class EmbeddedObjectRef; } + + class SdrOle2ObjImpl; ++class SvxOle2Shape; + + class SVXCORE_DLLPUBLIC SdrOle2Obj : public SdrRectObj + { +@@ -49,7 +50,7 @@ private: + std::unique_ptr mpImpl; + + private: +- SVX_DLLPRIVATE void Connect_Impl(); ++ SVX_DLLPRIVATE void Connect_Impl(SvxOle2Shape* pCreator = nullptr); + SVX_DLLPRIVATE void Disconnect_Impl(); + SVX_DLLPRIVATE void AddListeners_Impl(); + SVX_DLLPRIVATE void RemoveListeners_Impl(); +@@ -107,7 +108,7 @@ public: + // OLE object has got a separate PersistName member now; + // !!! use ::SetPersistName( ... ) only, if you know what you do !!! + const OUString& GetPersistName() const; +- void SetPersistName( const OUString& rPersistName ); ++ void SetPersistName( const OUString& rPersistName, SvxOle2Shape* pCreator = nullptr ); + + // One can add an application name to a SdrOle2Obj, which can be queried for + // later on (SD needs this for presentation objects). +@@ -152,7 +153,7 @@ public: + sal_Int64 nAspect ); + static bool Unload( const css::uno::Reference< css::embed::XEmbeddedObject >& xObj, sal_Int64 nAspect ); + bool Unload(); +- void Connect(); ++ void Connect(SvxOle2Shape* pCreator = nullptr); + void Disconnect(); + void ObjectLoaded(); + +@@ -199,4 +200,14 @@ public: + void Connect() { GetRealObject(); } + }; + ++class SVXCORE_DLLPUBLIC SdrIFrameLink final : public sfx2::SvBaseLink ++{ ++ SdrOle2Obj* m_pObject; ++ ++public: ++ explicit SdrIFrameLink(SdrOle2Obj* pObject); ++ virtual ::sfx2::SvBaseLink::UpdateResult DataChanged( ++ const OUString& rMimeType, const css::uno::Any & rValue ) override; ++}; ++ + /* vim:set shiftwidth=4 softtabstop=4 expandtab: */ +diff --git a/include/svx/unoshape.hxx b/include/svx/unoshape.hxx +index 3d3d5bea3a9b..aa72f1fdf1b2 100644 +--- a/include/svx/unoshape.hxx ++++ b/include/svx/unoshape.hxx +@@ -606,6 +606,8 @@ public: + bool createObject( const SvGlobalName &aClassName ); + + void createLink( const OUString& aLinkURL ); ++ ++ virtual OUString GetAndClearInitialFrameURL(); + }; + + +diff --git a/sc/source/ui/docshell/documentlinkmgr.cxx b/sc/source/ui/docshell/documentlinkmgr.cxx +index 3652df5cca0a..79a86d08b438 100644 +--- a/sc/source/ui/docshell/documentlinkmgr.cxx ++++ b/sc/source/ui/docshell/documentlinkmgr.cxx +@@ -144,7 +144,7 @@ bool DocumentLinkManager::hasDdeOrOleOrWebServiceLinks(bool bDde, bool bOle, boo + sfx2::SvBaseLink* pBase = rLink.get(); + if (bDde && dynamic_cast(pBase)) + return true; +- if (bOle && dynamic_cast(pBase)) ++ if (bOle && (dynamic_cast(pBase) || dynamic_cast(pBase))) + return true; + if (bWebService && dynamic_cast(pBase)) + return true; +@@ -175,6 +175,13 @@ bool DocumentLinkManager::updateDdeOrOleOrWebServiceLinks(weld::Window* pWin) + continue; + } + ++ SdrIFrameLink* pIFrameLink = dynamic_cast(pBase); ++ if (pIFrameLink) ++ { ++ pIFrameLink->Update(); ++ continue; ++ } ++ + ScWebServiceLink* pWebserviceLink = dynamic_cast(pBase); + if (pWebserviceLink) + { +diff --git a/sfx2/source/doc/iframe.cxx b/sfx2/source/doc/iframe.cxx +index 050d5c3f9e0f..e80f4d3cebf9 100644 +--- a/sfx2/source/doc/iframe.cxx ++++ b/sfx2/source/doc/iframe.cxx +@@ -175,31 +175,46 @@ sal_Bool SAL_CALL IFrameObject::load( + return false; + } + ++ bool bUpdateAllowed(true); ++ if (pDoc) ++ { ++ // perhaps should only check for file targets, but lets default to making it strong ++ // unless there is a known need to distinguish ++ comphelper::EmbeddedObjectContainer& rEmbeddedObjectContainer = pDoc->getEmbeddedObjectContainer(); ++ bUpdateAllowed = rEmbeddedObjectContainer.getUserAllowsLinkUpdate(); ++ } ++ if (!bUpdateAllowed) ++ return false; ++ + OUString sReferer; + if (pDoc && pDoc->HasName()) + sReferer = pDoc->GetMedium()->GetName(); + +- DBG_ASSERT( !mxFrame.is(), "Frame already existing!" ); +- VclPtr pParent = VCLUnoHelper::GetWindow( xFrame->getContainerWindow() ); +- VclPtr pWin = VclPtr::Create( pParent, maFrmDescr.IsFrameBorderOn() ); +- pWin->SetSizePixel( pParent->GetOutputSizePixel() ); +- pWin->SetBackground(); +- pWin->Show(); +- +- uno::Reference < awt::XWindow > xWindow( pWin->GetComponentInterface(), uno::UNO_QUERY ); +- xFrame->setComponent( xWindow, uno::Reference < frame::XController >() ); ++ uno::Reference xParentWindow(xFrame->getContainerWindow()); + +- // we must destroy the IFrame before the parent is destroyed +- xWindow->addEventListener( this ); +- +- mxFrame = frame::Frame::create( mxContext ); +- uno::Reference < awt::XWindow > xWin( pWin->GetComponentInterface(), uno::UNO_QUERY ); +- mxFrame->initialize( xWin ); +- mxFrame->setName( maFrmDescr.GetName() ); +- +- uno::Reference < frame::XFramesSupplier > xFramesSupplier( xFrame, uno::UNO_QUERY ); +- if ( xFramesSupplier.is() ) +- mxFrame->setCreator( xFramesSupplier ); ++ if (!mxFrame.is()) ++ { ++ VclPtr pParent = VCLUnoHelper::GetWindow(xParentWindow); ++ VclPtr pWin = VclPtr::Create( pParent, maFrmDescr.IsFrameBorderOn() ); ++ pWin->SetSizePixel( pParent->GetOutputSizePixel() ); ++ pWin->SetBackground(); ++ pWin->Show(); ++ ++ uno::Reference < awt::XWindow > xWindow( pWin->GetComponentInterface(), uno::UNO_QUERY ); ++ xFrame->setComponent( xWindow, uno::Reference < frame::XController >() ); ++ ++ // we must destroy the IFrame before the parent is destroyed ++ xWindow->addEventListener( this ); ++ ++ mxFrame = frame::Frame::create( mxContext ); ++ uno::Reference < awt::XWindow > xWin( pWin->GetComponentInterface(), uno::UNO_QUERY ); ++ mxFrame->initialize( xWin ); ++ mxFrame->setName( maFrmDescr.GetName() ); ++ ++ uno::Reference < frame::XFramesSupplier > xFramesSupplier( xFrame, uno::UNO_QUERY ); ++ if ( xFramesSupplier.is() ) ++ mxFrame->setCreator( xFramesSupplier ); ++ } + + uno::Sequence < beans::PropertyValue > aProps{ + comphelper::makePropertyValue("PluginMode", sal_Int16(2)), +diff --git a/svx/source/svdraw/svdoole2.cxx b/svx/source/svdraw/svdoole2.cxx +index 158824b327a0..7ca8a5acc263 100644 +--- a/svx/source/svdraw/svdoole2.cxx ++++ b/svx/source/svdraw/svdoole2.cxx +@@ -69,6 +69,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -593,6 +594,35 @@ void SdrEmbedObjectLink::Closed() + SvBaseLink::Closed(); + } + ++SdrIFrameLink::SdrIFrameLink(SdrOle2Obj* pObject) ++ : ::sfx2::SvBaseLink(::SfxLinkUpdateMode::ONCALL, SotClipboardFormatId::SVXB) ++ , m_pObject(pObject) ++{ ++ SetSynchron( false ); ++} ++ ++::sfx2::SvBaseLink::UpdateResult SdrIFrameLink::DataChanged( ++ const OUString&, const uno::Any& ) ++{ ++ uno::Reference xObject = m_pObject->GetObjRef(); ++ uno::Reference xPersObj(xObject, uno::UNO_QUERY); ++ if (xPersObj.is()) ++ { ++ // let the IFrameObject reload the link ++ try ++ { ++ xPersObj->reload(uno::Sequence(), uno::Sequence()); ++ } ++ catch (const uno::Exception&) ++ { ++ } ++ ++ m_pObject->SetChanged(); ++ } ++ ++ return SUCCESS; ++} ++ + class SdrOle2ObjImpl + { + public: +@@ -610,7 +640,7 @@ public: + bool mbLoadingOLEObjectFailed:1; // New local var to avoid repeated loading if load of OLE2 fails + bool mbConnected:1; + +- SdrEmbedObjectLink* mpObjectLink; ++ sfx2::SvBaseLink* mpObjectLink; + OUString maLinkURL; + + rtl::Reference mxModifyListener; +@@ -852,7 +882,7 @@ bool SdrOle2Obj::IsEmpty() const + return !mpImpl->mxObjRef.is(); + } + +-void SdrOle2Obj::Connect() ++void SdrOle2Obj::Connect(SvxOle2Shape* pCreator) + { + if( IsEmptyPresObj() ) + return; +@@ -865,7 +895,7 @@ void SdrOle2Obj::Connect() + return; + } + +- Connect_Impl(); ++ Connect_Impl(pCreator); + AddListeners_Impl(); + } + +@@ -964,24 +994,51 @@ void SdrOle2Obj::CheckFileLink_Impl() + + try + { +- uno::Reference< embed::XLinkageSupport > xLinkSupport( mpImpl->mxObjRef.GetObject(), uno::UNO_QUERY ); ++ uno::Reference xObject = mpImpl->mxObjRef.GetObject(); ++ if (!xObject) ++ return; + +- if ( xLinkSupport.is() && xLinkSupport->isLink() ) +- { +- OUString aLinkURL = xLinkSupport->getLinkURL(); ++ bool bIFrame = false; + +- if ( !aLinkURL.isEmpty() ) ++ OUString aLinkURL; ++ uno::Reference xLinkSupport(xObject, uno::UNO_QUERY); ++ if (xLinkSupport) ++ { ++ if (xLinkSupport->isLink()) ++ aLinkURL = xLinkSupport->getLinkURL(); ++ } ++ else ++ { ++ // get IFrame (Floating Frames) listed and updatable from the ++ // manage links dialog ++ SvGlobalName aClassId(xObject->getClassID()); ++ if (aClassId == SvGlobalName(SO3_IFRAME_CLASSID)) + { +- // this is a file link so the model link manager should handle it +- sfx2::LinkManager* pLinkManager(getSdrModelFromSdrObject().GetLinkManager()); ++ uno::Reference xSet(xObject->getComponent(), uno::UNO_QUERY); ++ if (xSet.is()) ++ xSet->getPropertyValue("FrameURL") >>= aLinkURL; ++ bIFrame = true; ++ } ++ } ++ ++ if (!aLinkURL.isEmpty()) // this is a file link so the model link manager should handle it ++ { ++ sfx2::LinkManager* pLinkManager(getSdrModelFromSdrObject().GetLinkManager()); + +- if ( pLinkManager ) ++ if ( pLinkManager ) ++ { ++ SdrEmbedObjectLink* pEmbedObjectLink = nullptr; ++ if (!bIFrame) + { +- mpImpl->mpObjectLink = new SdrEmbedObjectLink( this ); +- mpImpl->maLinkURL = aLinkURL; +- pLinkManager->InsertFileLink( *mpImpl->mpObjectLink, sfx2::SvBaseLinkObjectType::ClientOle, aLinkURL ); +- mpImpl->mpObjectLink->Connect(); ++ pEmbedObjectLink = new SdrEmbedObjectLink(this); ++ mpImpl->mpObjectLink = pEmbedObjectLink; + } ++ else ++ mpImpl->mpObjectLink = new SdrIFrameLink(this); ++ mpImpl->maLinkURL = aLinkURL; ++ pLinkManager->InsertFileLink( *mpImpl->mpObjectLink, sfx2::SvBaseLinkObjectType::ClientOle, aLinkURL ); ++ if (pEmbedObjectLink) ++ pEmbedObjectLink->Connect(); + } + } + } +@@ -991,7 +1048,7 @@ void SdrOle2Obj::CheckFileLink_Impl() + } + } + +-void SdrOle2Obj::Connect_Impl() ++void SdrOle2Obj::Connect_Impl(SvxOle2Shape* pCreator) + { + if(mpImpl->aPersistName.isEmpty() ) + return; +@@ -1032,6 +1089,17 @@ void SdrOle2Obj::Connect_Impl() + } + } + ++ if (pCreator) ++ { ++ OUString sFrameURL(pCreator->GetAndClearInitialFrameURL()); ++ if (!sFrameURL.isEmpty() && svt::EmbeddedObjectRef::TryRunningState(mpImpl->mxObjRef.GetObject())) ++ { ++ uno::Reference xSet(mpImpl->mxObjRef->getComponent(), uno::UNO_QUERY); ++ if (xSet.is()) ++ xSet->setPropertyValue("FrameURL", uno::Any(sFrameURL)); ++ } ++ } ++ + if ( mpImpl->mxObjRef.is() ) + { + if ( !mpImpl->mxLightClient.is() ) +@@ -1342,14 +1410,14 @@ SdrObjectUniquePtr SdrOle2Obj::getFullDragClone() const + return createSdrGrafObjReplacement(false); + } + +-void SdrOle2Obj::SetPersistName( const OUString& rPersistName ) ++void SdrOle2Obj::SetPersistName( const OUString& rPersistName, SvxOle2Shape* pCreator ) + { + DBG_ASSERT( mpImpl->aPersistName.isEmpty(), "Persist name changed!"); + + mpImpl->aPersistName = rPersistName; + mpImpl->mbLoadingOLEObjectFailed = false; + +- Connect(); ++ Connect(pCreator); + SetChanged(); + } + +diff --git a/svx/source/unodraw/shapeimpl.hxx b/svx/source/unodraw/shapeimpl.hxx +index 0ccf22071194..cc7d29f03caf 100644 +--- a/svx/source/unodraw/shapeimpl.hxx ++++ b/svx/source/unodraw/shapeimpl.hxx +@@ -64,8 +64,11 @@ public: + + virtual void Create( SdrObject* pNewOpj, SvxDrawPage* pNewPage ) override; + }; ++ + class SvxFrameShape : public SvxOle2Shape + { ++private: ++ OUString m_sInitialFrameURL; + protected: + // override these for special property handling in subcasses. Return true if property is handled + virtual bool setPropertyValueImpl( const OUString& rName, const SfxItemPropertyMapEntry* pProperty, const css::uno::Any& rValue ) override; +@@ -82,6 +85,8 @@ public: + virtual void SAL_CALL setPropertyValues( const css::uno::Sequence< OUString >& aPropertyNames, const css::uno::Sequence< css::uno::Any >& aValues ) override; + + virtual void Create( SdrObject* pNewOpj, SvxDrawPage* pNewPage ) override; ++ ++ virtual OUString GetAndClearInitialFrameURL() override; + }; + + +diff --git a/svx/source/unodraw/unoshap4.cxx b/svx/source/unodraw/unoshap4.cxx +index 865ce0a3ee5b..7948ce153fec 100644 +--- a/svx/source/unodraw/unoshap4.cxx ++++ b/svx/source/unodraw/unoshap4.cxx +@@ -177,7 +177,7 @@ bool SvxOle2Shape::setPropertyValueImpl( const OUString& rName, const SfxItemPro + #else + pOle = static_cast(GetSdrObject()); + #endif +- pOle->SetPersistName( aPersistName ); ++ pOle->SetPersistName( aPersistName, this ); + return true; + } + break; +@@ -498,10 +498,11 @@ void SvxOle2Shape::createLink( const OUString& aLinkURL ) + + void SvxOle2Shape::resetModifiedState() + { +- ::comphelper::IEmbeddedHelper* pPersist = GetSdrObject()->getSdrModelFromSdrObject().GetPersist(); ++ SdrObject* pObject = GetSdrObject(); ++ ::comphelper::IEmbeddedHelper* pPersist = pObject ? pObject->getSdrModelFromSdrObject().GetPersist() : nullptr; + if( pPersist && !pPersist->isEnableSetModified() ) + { +- SdrOle2Obj* pOle = dynamic_cast< SdrOle2Obj* >( GetSdrObject() ); ++ SdrOle2Obj* pOle = dynamic_cast< SdrOle2Obj* >(pObject); + if( pOle && !pOle->IsEmpty() ) + { + uno::Reference < util::XModifiable > xMod( pOle->GetObjRef(), uno::UNO_QUERY ); +@@ -551,6 +552,11 @@ SvGlobalName SvxOle2Shape::GetClassName_Impl(OUString& rHexCLSID) + return aClassName; + } + ++OUString SvxOle2Shape::GetAndClearInitialFrameURL() ++{ ++ return OUString(); ++} ++ + SvxAppletShape::SvxAppletShape(SdrObject* pObject) + : SvxOle2Shape( pObject, getSvxMapProvider().GetMap(SVXMAP_APPLET), getSvxMapProvider().GetPropertySet(SVXMAP_APPLET, SdrObject::GetGlobalDrawObjectItemPool()) ) + { +@@ -704,8 +710,19 @@ SvxFrameShape::~SvxFrameShape() noexcept + { + } + ++OUString SvxFrameShape::GetAndClearInitialFrameURL() ++{ ++ OUString sRet(m_sInitialFrameURL); ++ m_sInitialFrameURL.clear(); ++ return sRet; ++} ++ + void SvxFrameShape::Create( SdrObject* pNewObj, SvxDrawPage* pNewPage ) + { ++ uno::Reference xSet(static_cast(this), uno::UNO_QUERY); ++ if (xSet) ++ xSet->getPropertyValue("FrameURL") >>= m_sInitialFrameURL; ++ + SvxShape::Create( pNewObj, pNewPage ); + const SvGlobalName aIFrameClassId( SO3_IFRAME_CLASSID ); + createObject(aIFrameClassId); +diff --git a/sw/inc/ndole.hxx b/sw/inc/ndole.hxx +index 302c9a0a5ebe..15e79f691e64 100644 +--- a/sw/inc/ndole.hxx ++++ b/sw/inc/ndole.hxx +@@ -28,7 +28,7 @@ class SwGrfFormatColl; + class SwDoc; + class SwOLENode; + class SwOLEListener_Impl; +-class SwEmbedObjectLink; ++namespace sfx2 { class SvBaseLink; } + class DeflateData; + + class SW_DLLPUBLIC SwOLEObj +@@ -93,7 +93,7 @@ class SW_DLLPUBLIC SwOLENode final: public SwNoTextNode + bool mbOLESizeInvalid; /**< Should be considered at SwDoc::PrtOLENotify + (e.g. copied). Is not persistent. */ + +- SwEmbedObjectLink* mpObjectLink; ++ sfx2::SvBaseLink* mpObjectLink; + OUString maLinkURL; + + SwOLENode( const SwNodeIndex &rWhere, +diff --git a/sw/source/core/ole/ndole.cxx b/sw/source/core/ole/ndole.cxx +index d553768db7ce..c7ba5142a9b7 100644 +--- a/sw/source/core/ole/ndole.cxx ++++ b/sw/source/core/ole/ndole.cxx +@@ -150,6 +150,8 @@ void SAL_CALL SwOLEListener_Impl::disposing( const lang::EventObject& ) + // TODO/LATER: actually SwEmbedObjectLink should be used here, but because different objects are used to control + // embedded object different link objects with the same functionality had to be implemented + ++namespace { ++ + class SwEmbedObjectLink : public sfx2::SvBaseLink + { + SwOLENode* m_pOleNode; +@@ -212,6 +214,44 @@ void SwEmbedObjectLink::Closed() + SvBaseLink::Closed(); + } + ++class SwIFrameLink : public sfx2::SvBaseLink ++{ ++ SwOLENode* m_pOleNode; ++ ++public: ++ explicit SwIFrameLink(SwOLENode* pNode) ++ : ::sfx2::SvBaseLink(::SfxLinkUpdateMode::ONCALL, SotClipboardFormatId::SVXB) ++ , m_pOleNode(pNode) ++ { ++ SetSynchron( false ); ++ } ++ ++ ::sfx2::SvBaseLink::UpdateResult DataChanged( ++ const OUString&, const uno::Any& ) ++ { ++ uno::Reference xObject = m_pOleNode->GetOLEObj().GetOleRef(); ++ uno::Reference xPersObj(xObject, uno::UNO_QUERY); ++ if (xPersObj.is()) ++ { ++ // let the IFrameObject reload the link ++ try ++ { ++ xPersObj->reload(uno::Sequence(), uno::Sequence()); ++ } ++ catch (const uno::Exception&) ++ { ++ } ++ ++ m_pOleNode->SetChanged(); ++ } ++ ++ return SUCCESS; ++ } ++ ++}; ++ ++} ++ + SwOLENode::SwOLENode( const SwNodeIndex &rWhere, + const svt::EmbeddedObjectRef& xObj, + SwGrfFormatColl *pGrfColl, +@@ -610,18 +650,49 @@ void SwOLENode::CheckFileLink_Impl() + + try + { +- uno::Reference< embed::XLinkageSupport > xLinkSupport( maOLEObj.m_xOLERef.GetObject(), uno::UNO_QUERY_THROW ); +- if ( xLinkSupport->isLink() ) ++ uno::Reference xObject = maOLEObj.m_xOLERef.GetObject(); ++ if (!xObject) ++ return; ++ ++ bool bIFrame = false; ++ ++ OUString aLinkURL; ++ uno::Reference xLinkSupport(xObject, uno::UNO_QUERY); ++ if (xLinkSupport) ++ { ++ if (xLinkSupport->isLink()) ++ aLinkURL = xLinkSupport->getLinkURL(); ++ } ++ else ++ { ++ // get IFrame (Floating Frames) listed and updatable from the ++ // manage links dialog ++ SvGlobalName aClassId(xObject->getClassID()); ++ if (aClassId == SvGlobalName(SO3_IFRAME_CLASSID)) ++ { ++ uno::Reference xSet(xObject->getComponent(), uno::UNO_QUERY); ++ if (xSet.is()) ++ xSet->getPropertyValue("FrameURL") >>= aLinkURL; ++ bIFrame = true; ++ } ++ } ++ ++ if (!aLinkURL.isEmpty()) // this is a file link so the model link manager should handle it + { +- const OUString aLinkURL = xLinkSupport->getLinkURL(); +- if ( !aLinkURL.isEmpty() ) ++ SwEmbedObjectLink* pEmbedObjectLink = nullptr; ++ if (!bIFrame) ++ { ++ pEmbedObjectLink = new SwEmbedObjectLink(this); ++ mpObjectLink = pEmbedObjectLink; ++ } ++ else + { +- // this is a file link so the model link manager should handle it +- mpObjectLink = new SwEmbedObjectLink( this ); +- maLinkURL = aLinkURL; +- GetDoc().getIDocumentLinksAdministration().GetLinkManager().InsertFileLink( *mpObjectLink, sfx2::SvBaseLinkObjectType::ClientOle, aLinkURL ); +- mpObjectLink->Connect(); ++ mpObjectLink = new SwIFrameLink(this); + } ++ maLinkURL = aLinkURL; ++ GetDoc().getIDocumentLinksAdministration().GetLinkManager().InsertFileLink( *mpObjectLink, sfx2::SvBaseLinkObjectType::ClientOle, aLinkURL ); ++ if (pEmbedObjectLink) ++ pEmbedObjectLink->Connect(); + } + } + catch( uno::Exception& ) +diff --git a/xmloff/source/draw/ximpshap.cxx b/xmloff/source/draw/ximpshap.cxx +index f2e217243474..ad41b8dcd3ad 100644 +--- a/xmloff/source/draw/ximpshap.cxx ++++ b/xmloff/source/draw/ximpshap.cxx +@@ -3106,10 +3106,36 @@ SdXMLFloatingFrameShapeContext::~SdXMLFloatingFrameShapeContext() + { + } + ++uno::Reference SdXMLFloatingFrameShapeContext::CreateFloatingFrameShape() const ++{ ++ uno::Reference xServiceFact(GetImport().GetModel(), uno::UNO_QUERY); ++ if (!xServiceFact.is()) ++ return nullptr; ++ uno::Reference xShape( ++ xServiceFact->createInstance("com.sun.star.drawing.FrameShape"), uno::UNO_QUERY); ++ return xShape; ++} ++ + void SdXMLFloatingFrameShapeContext::startFastElement (sal_Int32 /*nElement*/, + const css::uno::Reference< css::xml::sax::XFastAttributeList >& /*xAttrList*/) + { +- AddShape("com.sun.star.drawing.FrameShape"); ++ uno::Reference xShape(SdXMLFloatingFrameShapeContext::CreateFloatingFrameShape()); ++ ++ uno::Reference< beans::XPropertySet > xProps(xShape, uno::UNO_QUERY); ++ // set FrameURL before AddShape, we have to do it again later because it ++ // gets cleared when the SdrOle2Obj is attached to the XShape. But we want ++ // FrameURL to exist when AddShape triggers SetPersistName which itself ++ // triggers SdrOle2Obj::CheckFileLink_Impl and at that point we want to ++ // know what URL will end up being used. So bodge this by setting FrameURL ++ // to the temp pre-SdrOle2Obj attached properties and we can smuggle it ++ // eventually into SdrOle2Obj::SetPersistName at the right point after ++ // PersistName is set but before SdrOle2Obj::CheckFileLink_Impl is called ++ // in order to inform the link manager that this is an IFrame that links to ++ // a URL ++ if (xProps && !maHref.isEmpty()) ++ xProps->setPropertyValue("FrameURL", Any(maHref)); ++ ++ AddShape(xShape); + + if( !mxShape.is() ) + return; +@@ -3119,7 +3145,6 @@ void SdXMLFloatingFrameShapeContext::startFastElement (sal_Int32 /*nElement*/, + // set pos, size, shear and rotate + SetTransformation(); + +- uno::Reference< beans::XPropertySet > xProps( mxShape, uno::UNO_QUERY ); + if( xProps.is() ) + { + if( !maFrameName.isEmpty() ) +diff --git a/xmloff/source/draw/ximpshap.hxx b/xmloff/source/draw/ximpshap.hxx +index 202de49d7bc9..e11f1688e79b 100644 +--- a/xmloff/source/draw/ximpshap.hxx ++++ b/xmloff/source/draw/ximpshap.hxx +@@ -528,6 +528,8 @@ private: + OUString maFrameName; + OUString maHref; + ++ css::uno::Reference CreateFloatingFrameShape() const; ++ + public: + + SdXMLFloatingFrameShapeContext( SvXMLImport& rImport, +-- +2.40.1 + diff --git a/patches/CVE-2023-2255-3.patch b/patches/CVE-2023-2255-3.patch new file mode 100644 index 000000000..f9f8e30f4 --- /dev/null +++ b/patches/CVE-2023-2255-3.patch @@ -0,0 +1,52 @@ +From c7d2580885673fa73253ee8878c8730f0263d3fa Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= +Date: Thu, 20 Apr 2023 20:58:21 +0100 +Subject: [PATCH 3/3] assume IFrame script/macro support isn't needed +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +seems undocumented at least + +Change-Id: I316e4f4f25ddb7cf6b7bac4d856a721b987207a3 +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/151020 +Tested-by: Jenkins +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/152165 +Tested-by: Caolán McNamara +Reviewed-by: Caolán McNamara +--- + sfx2/source/doc/iframe.cxx | 12 ++++-------- + 1 file changed, 4 insertions(+), 8 deletions(-) + +diff --git a/sfx2/source/doc/iframe.cxx b/sfx2/source/doc/iframe.cxx +index e80f4d3cebf9..08dfee998c6d 100644 +--- a/sfx2/source/doc/iframe.cxx ++++ b/sfx2/source/doc/iframe.cxx +@@ -166,20 +166,16 @@ sal_Bool SAL_CALL IFrameObject::load( + uno::Reference < util::XURLTransformer > xTrans( util::URLTransformer::create( mxContext ) ); + xTrans->parseStrict( aTargetURL ); + ++ INetURLObject aURLObject(aTargetURL.Complete); ++ if (aURLObject.GetProtocol() == INetProtocol::Macro || aURLObject.isSchemeEqualTo(u"vnd.sun.star.script")) ++ return false; ++ + uno::Reference xParentFrame = xFrame->getCreator(); + SfxObjectShell* pDoc = SfxMacroLoader::GetObjectShell(xParentFrame); + +- if (INetURLObject(aTargetURL.Complete).GetProtocol() == INetProtocol::Macro) +- { +- if (pDoc && !pDoc->AdjustMacroMode()) +- return false; +- } +- + bool bUpdateAllowed(true); + if (pDoc) + { +- // perhaps should only check for file targets, but lets default to making it strong +- // unless there is a known need to distinguish + comphelper::EmbeddedObjectContainer& rEmbeddedObjectContainer = pDoc->getEmbeddedObjectContainer(); + bUpdateAllowed = rEmbeddedObjectContainer.getUserAllowsLinkUpdate(); + } +-- +2.40.1 + diff --git a/patches/series b/patches/series index 2cbb51557..1d38230c6 100644 --- a/patches/series +++ b/patches/series @@ -59,3 +59,7 @@ ubuntu-0004-error-when-copying-table-and-the-copy-table-wizard-c.patch ubuntu-0005-make-ValueTransfer-easier-to-understand.patch ubuntu-0006-Related-tdf-150011-Add-HRK-Croatian-Kuna-to-Euro-con.patch ubuntu-0007-Resolves-tdf-150011-Switch-default-currency-HRK-Croa.patch +CVE-2023-2255-1.patch +CVE-2023-2255-2.patch +CVE-2023-2255-3.patch +CVE-2023-0950.patch