unoconv: add CVE-2019-17400 patch

This commit is contained in:
Nathan Owens 2019-10-29 00:52:47 +00:00 committed by Helmut Pozimski
parent 4853db22a0
commit 72de297707
2 changed files with 119 additions and 2 deletions

View File

@ -0,0 +1,117 @@
From 3351c5e5eef88690ed860bfee99d905202518a22 Mon Sep 17 00:00:00 2001
From: Samuel Erb <samrerb@erbbysam.com>
Date: Tue, 17 Sep 2019 12:22:12 -0400
Subject: [PATCH] change default updateDocMode behavior and add new option to
keep old behavior (#510)
---
unoconv | 51 ++++++++++++++++++++++++++++++---------------------
1 file changed, 30 insertions(+), 21 deletions(-)
diff --git a/unoconv b/unoconv
index f844d0f..762dc85 100755
--- unoconv
+++ unoconv
@@ -543,6 +543,8 @@ class Options:
self.template = None
self.timeout = 6
self.verbose = 0
+ self.userProfile = None
+ self.updateDocMode = NO_UPDATE
self.setprinter = False
self.paperformat = None
@@ -555,8 +557,8 @@ class Options:
['connection=', 'debug', 'doctype=', 'export=', 'field=', 'format=',
'help', 'import=', 'import-filter-name=', 'listener', 'meta=', 'no-launch',
'output=', 'outputpath', 'password=', 'pipe=', 'port=', 'preserve',
- 'server=', 'timeout=', 'show', 'stdin', 'stdout', 'template', 'printer=',
- 'verbose', 'version'] )
+ 'server=', 'timeout=', 'user-profile=', 'show', 'stdin',
+ 'stdout', 'template', 'printer=', 'unsafe-quiet-update', 'verbose', 'version'] )
except getopt.error as exc:
print('unoconv: %s, try unoconv -h for a list of all the options' % str(exc))
sys.exit(255)
@@ -646,6 +648,10 @@ class Options:
self.template = arg
elif opt in ['-T', '--timeout']:
self.timeout = int(arg)
+ elif opt in ['--unsafe-quiet-update']:
+ # ref https://www.openoffice.org/api/docs/common/ref/com/sun/star/document/UpdateDocMode.html
+ print('Warning: Do not use the option --unsafe-quiet-update with untrusted input.')
+ self.updateDocMode = QUIET_UPDATE
elif opt in ['-v', '--verbose']:
self.verbose = self.verbose + 1
elif opt in ['-V', '--version']:
@@ -760,6 +766,7 @@ unoconv options:
--stdout write output to stdout
-t, --template=file import the styles from template (.ott)
-T, --timeout=secs timeout after secs if connection to listener fails
+ --unsafe-quiet-update allow rendered document to fetch external resources (Warning: this is unsafe with untrusted input)
-v, --verbose be more and more verbose (-vvv for debugging)
--version display version number of unoconv, OOo/LO and platform details
-P, --printer printer options
@@ -930,7 +937,7 @@ class Convertor:
phase = "import"
### Load inputfile
- inputprops = UnoProps(Hidden=True, ReadOnly=True, UpdateDocMode=QUIET_UPDATE)
+ inputprops = UnoProps(Hidden=True, ReadOnly=True, UpdateDocMode=op.updateDocMode)
if op.password:
inputprops += UnoProps(Password=op.password)
@@ -983,23 +990,25 @@ class Convertor:
# except AttributeError:
# pass
- ### Update document links
- phase = "update-links"
- try:
- document.updateLinks()
- # Found that when converting HTML files with external images, OO would only load five or six of
- # the images in the file. In the resulting document, the rest of the images did not appear. Cycling
- # through all the image references in the document seems to force OO to actually load them. Found
- # some helpful guidance in this thread:
- # https://forum.openoffice.org/en/forum/viewtopic.php?f=30&t=23909
- # Ideally we would like to have the option to embed the images into the document, but I have not been
- # able to figure out how to do this yet.
- graphObjs = document.GraphicObjects
- for i in range(0, graphObjs.getCount()):
- graphObj = graphObjs.getByIndex(i)
- except AttributeError:
- # the document doesn't implement the XLinkUpdate interface
- pass
+ ### Update document links if appropriate
+ if op.updateDocMode != NO_UPDATE:
+ phase = "update-links"
+ try:
+ document.updateLinks()
+ # Found that when converting HTML files with external images, OO would only load five or six of
+ # the images in the file. In the resulting document, the rest of the images did not appear. Cycling
+ # through all the image references in the document seems to force OO to actually load them. Found
+ # some helpful guidance in this thread:
+ # https://forum.openoffice.org/en/forum/viewtopic.php?f=30&t=23909
+ # Ideally we would like to have the option to embed the images into the document, but I have not been
+ # able to figure out how to do this yet.
+ if op.updatehtmllinks:
+ graphObjs = document.GraphicObjects
+ for i in range(0, graphObjs.getCount()):
+ graphObj = graphObjs.getByIndex(i)
+ except AttributeError:
+ # the document doesn't implement the XLinkUpdate interface
+ pass
### Add/Replace variables
phase = "replace-fields"
@@ -1347,7 +1356,7 @@ if __name__ == '__main__':
### Now that we have found a working pyuno library, let's import some classes
from com.sun.star.beans import PropertyValue
from com.sun.star.connection import NoConnectException
- from com.sun.star.document.UpdateDocMode import QUIET_UPDATE
+ from com.sun.star.document.UpdateDocMode import NO_UPDATE, QUIET_UPDATE
from com.sun.star.lang import DisposedException, IllegalArgumentException
from com.sun.star.io import IOException, XOutputStream
from com.sun.star.script import CannotConvertException
--
2.23.0

View File

@ -1,14 +1,14 @@
# Template file for 'unoconv'
pkgname=unoconv
version=0.8.2
revision=1
revision=2
archs=noarch
build_style=gnu-makefile
hostmakedepends="asciidoc git"
depends="python"
short_desc="Convert between document formats supported by LibreOffice/OpenOffice"
maintainer="Antonio Malcolm <antonio@antoniomalcolm.com>"
license="GPL-2"
license="GPL-2.0-only"
homepage="https://github.com/dagwieers/unoconv"
distfiles="${homepage}/archive/${version}.tar.gz>${pkgname}-${version}.tar.gz"
checksum=5381c0338d50e9b05cd30f8724b796e3bf426e9dde3d51169b3511de22de14a6