diff options
| author | Caolán McNamara <caolan.mcnamara@collabora.com> | 2024-06-04 21:15:32 +0100 |
|---|---|---|
| committer | Andras Timar <andras.timar@collabora.com> | 2024-06-24 18:53:34 +0200 |
| commit | 7ca908a500663b2aaa120542519a4e82824d4efe (patch) | |
| tree | 99fa1222fd0fe1bf8f1699ca93f3ec891cc7ff7e | |
| parent | auto-add wopi server cert to child capath (diff) | |
| download | online-7ca908a500663b2aaa120542519a4e82824d4efe.tar.gz online-7ca908a500663b2aaa120542519a4e82824d4efe.zip | |
honour online host verification exemption also in core
Signed-off-by: Caolán McNamara <caolan.mcnamara@collabora.com>
Change-Id: I041b6f428069d5fb62426c80512ced7d00e622d3
| -rw-r--r-- | common/Session.cpp | 8 | ||||
| -rw-r--r-- | common/Session.hpp | 7 | ||||
| -rw-r--r-- | kit/Kit.cpp | 10 | ||||
| -rw-r--r-- | net/Ssl.hpp | 6 | ||||
| -rw-r--r-- | wsd/ClientSession.cpp | 5 |
5 files changed, 35 insertions, 1 deletions
diff --git a/common/Session.cpp b/common/Session.cpp index 654aa95b5b..14d74291b5 100644 --- a/common/Session.cpp +++ b/common/Session.cpp @@ -43,7 +43,8 @@ Session::Session(const std::shared_ptr<ProtocolHandlerInterface> &protocol, _isDocPasswordProtected(false), _isAdminUser(std::nullopt), _watermarkOpacity(0.2), - _accessibilityState(false) + _accessibilityState(false), + _disableVerifyHost(false) { } @@ -226,6 +227,11 @@ void Session::parseDocOptions(const StringVector& tokens, int& part, std::string _isAllowChangeComments = value == "true"; ++offset; } + else if (name == "verifyHost") + { + _disableVerifyHost = value == "false"; + ++offset; + } } Util::mapAnonymized(_userId, _userIdAnonym); diff --git a/common/Session.hpp b/common/Session.hpp index b48c24ffd6..437ac9dce5 100644 --- a/common/Session.hpp +++ b/common/Session.hpp @@ -107,6 +107,9 @@ public: /// Returns true iff the view is either non-readonly or can change comments. bool isEditable() const { return !isReadOnly() || isAllowChangeComments(); } + /// if certification verification was disabled for the wopi server + bool isDisableVerifyHost() const { return _disableVerifyHost; } + /// overridden to prepend client ids on messages by the Kit virtual bool sendBinaryFrame(const char* buffer, int length); virtual bool sendTextFrame(const char* buffer, const int length); @@ -393,6 +396,10 @@ private: /// Specifies whether accessibility support is enabled for this session. bool _accessibilityState; + + /// Specifies whether certification verification for the wopi server + /// should be disabled in core + bool _disableVerifyHost; }; /* vim:set shiftwidth=4 softtabstop=4 expandtab: */ diff --git a/kit/Kit.cpp b/kit/Kit.cpp index 2e0c71d868..554a273e0d 100644 --- a/kit/Kit.cpp +++ b/kit/Kit.cpp @@ -1785,6 +1785,16 @@ std::shared_ptr<lok::Document> Document::load(const std::shared_ptr<ChildSession if (FileUtil::Stat(pathFromFileURL(wopiCertDir)).exists()) ::setenv("LO_CERTIFICATE_AUTHORITY_PATH", wopiCertDir.c_str(), 1); + // if ssl client verification was disabled in online for the wopi server, + // and this is a https connection then also exempt that host from ssl host + // verification in 'core' + if (session->isDisableVerifyHost()) + { + std::string scheme, host, port; + if (net::parseUri(session->getDocURL(), scheme, host, port) && scheme == "https://") + ::setenv("LOK_EXEMPT_VERIFY_HOST", host.c_str(), 1); + } + std::string spellOnline = session->getSpellOnline(); if (!_loKitDocument) { diff --git a/net/Ssl.hpp b/net/Ssl.hpp index f0860061d5..94b6ba3658 100644 --- a/net/Ssl.hpp +++ b/net/Ssl.hpp @@ -109,6 +109,12 @@ public: cipherList, verification); } + static ssl::CertificateVerification getClientVerification() + { + assert(isClientContextInitialized() && "client context must be initialized"); + return ClientInstance->verification(); + } + static void uninitializeClientContext() { ClientInstance.reset(); } /// Returns true iff the SslContext has been initialized. diff --git a/wsd/ClientSession.cpp b/wsd/ClientSession.cpp index bcf1b97a07..87e93310b0 100644 --- a/wsd/ClientSession.cpp +++ b/wsd/ClientSession.cpp @@ -1259,6 +1259,11 @@ bool ClientSession::loadDocument(const char* /*buffer*/, int /*length*/, std::ostringstream oss; oss << "load url=" << docBroker->getPublicUri().toString(); + // if ssl client verification was disabled in online for the wopi server, + // then exempt that host from ssl host verification also in core + if (ssl::Manager::getClientVerification() == ssl::CertificateVerification::Disabled) + oss << " verifyHost=false"; + if (!getUserId().empty() && !getUserName().empty()) { std::string encodedUserId; |