pengjunjie/server
1
0
Fork 1
mirror of https://github.com/ONLYOFFICE/server.git synced 2026-04-07 14:04:35 +08:00
Code Issues Packages Projects Releases Wiki Activity

[bug] Save pdf password; for bug 70466

Browse Source
This commit is contained in:
Sergey Konovalov
2024-10-03 20:29:50 +03:00
parent fcf1195c0a
commit 511ecc149f
3 changed files with 33 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
Common/sources/formatchecker.js
View File

@ -581,6 +581,12 @@ exports.isOOXFormat = function(format) {
|| constants.AVS_OFFICESTUDIO_FILE_SPREADSHEET_XLTX === format || constants.AVS_OFFICESTUDIO_FILE_SPREADSHEET_XLTX === format
|| constants.AVS_OFFICESTUDIO_FILE_SPREADSHEET_XLTM === format; || constants.AVS_OFFICESTUDIO_FILE_SPREADSHEET_XLTM === format;
}; };
exports.isBrowserEditorFormat = function(format) {
return constants.AVS_OFFICESTUDIO_FILE_CROSSPLATFORM_PDF === format ||
constants.AVS_OFFICESTUDIO_FILE_CROSSPLATFORM_PDFA === format ||
constants.AVS_OFFICESTUDIO_FILE_CROSSPLATFORM_DJVU === format ||
constants.AVS_OFFICESTUDIO_FILE_CROSSPLATFORM_XPS === format;
};
function getDocumentFormatBySignature(buffer) { function getDocumentFormatBySignature(buffer) {
if (!buffer) { if (!buffer) {
return constants.AVS_OFFICESTUDIO_FILE_UNKNOWN; return constants.AVS_OFFICESTUDIO_FILE_UNKNOWN;

32
DocService/sources/canvasservice.js
View File

@ -170,7 +170,7 @@ function getOpenedAtJSONParams(row) {
async function getOutputData(ctx, cmd, outputData, key, optConn, optAdditionalOutput, opt_bIsRestore) { async function getOutputData(ctx, cmd, outputData, key, optConn, optAdditionalOutput, opt_bIsRestore) {
const tenExpUpdateVersionStatus = ms(ctx.getCfg('services.CoAuthoring.expire.updateVersionStatus', cfgExpUpdateVersionStatus)); const tenExpUpdateVersionStatus = ms(ctx.getCfg('services.CoAuthoring.expire.updateVersionStatus', cfgExpUpdateVersionStatus));
let status, statusInfo, password, creationDate, openedAt, row; let status, statusInfo, password, creationDate, openedAt, originFormat, row;
let selectRes = await taskResult.select(ctx, key); let selectRes = await taskResult.select(ctx, key);
if (selectRes.length > 0) { if (selectRes.length > 0) {
row = selectRes[0]; row = selectRes[0];
@ -179,6 +179,7 @@ async function getOutputData(ctx, cmd, outputData, key, optConn, optAdditionalOu
password = sqlBase.DocumentPassword.prototype.getCurPassword(ctx, row.password); password = sqlBase.DocumentPassword.prototype.getCurPassword(ctx, row.password);
creationDate = row.created_at && row.created_at.getTime(); creationDate = row.created_at && row.created_at.getTime();
openedAt = getOpenedAt(row); openedAt = getOpenedAt(row);
originFormat = row.change_id;
if (optAdditionalOutput) { if (optAdditionalOutput) {
optAdditionalOutput.row = row; optAdditionalOutput.row = row;
} }
@ -246,7 +247,7 @@ async function getOutputData(ctx, cmd, outputData, key, optConn, optAdditionalOu
userPassword = await utils.decryptPassword(ctx, encryptedUserPassword); userPassword = await utils.decryptPassword(ctx, encryptedUserPassword);
isCorrectPassword = decryptedPassword === userPassword; isCorrectPassword = decryptedPassword === userPassword;
} }
if(password && !isCorrectPassword) { if(password && !isCorrectPassword && !formatChecker.isBrowserEditorFormat(originFormat)) {
ctx.logger.debug("getOutputData password mismatch"); ctx.logger.debug("getOutputData password mismatch");
if(encryptedUserPassword) { if(encryptedUserPassword) {
outputData.setStatus('needpassword'); outputData.setStatus('needpassword');
@ -312,9 +313,13 @@ function* addRandomKeyTaskCmd(ctx, cmd) {
//set saveKey as postfix to fix vulnerability with path traversal to docId or other files //set saveKey as postfix to fix vulnerability with path traversal to docId or other files
cmd.setSaveKey(task.key.substring(docId.length)); cmd.setSaveKey(task.key.substring(docId.length));
} }
function addPasswordToCmd(ctx, cmd, docPasswordStr) { function addPasswordToCmd(ctx, cmd, docPasswordStr, originFormat) {
let docPassword = sqlBase.DocumentPassword.prototype.getDocPassword(ctx, docPasswordStr); let docPassword = sqlBase.DocumentPassword.prototype.getDocPassword(ctx, docPasswordStr);
if (docPassword.current) { if (docPassword.current) {
if (formatChecker.isBrowserEditorFormat(originFormat)) {
//todo not allowed different password
cmd.setPassword(docPassword.current);
}
cmd.setSavePassword(docPassword.current); cmd.setSavePassword(docPassword.current);
} }
if (docPassword.change) { if (docPassword.change) {
@ -642,7 +647,7 @@ let commandSfctByCmd = co.wrap(function*(ctx, cmd, opt_priority, opt_expiration,
ctx.setWopiSrc(sqlBase.DocumentAdditional.prototype.getWopiSrc(row.additional)); ctx.setWopiSrc(sqlBase.DocumentAdditional.prototype.getWopiSrc(row.additional));
} }
yield* addRandomKeyTaskCmd(ctx, cmd); yield* addRandomKeyTaskCmd(ctx, cmd);
addPasswordToCmd(ctx, cmd, row.password); addPasswordToCmd(ctx, cmd, row.password, row.change_id);
addOriginFormat(ctx, cmd, row); addOriginFormat(ctx, cmd, row);
let userAuthStr = sqlBase.UserCallback.prototype.getCallbackByUserIndex(ctx, row.callback); let userAuthStr = sqlBase.UserCallback.prototype.getCallbackByUserIndex(ctx, row.callback);
cmd.setWopiParams(wopiClient.parseWopiCallback(ctx, userAuthStr, row.callback)); cmd.setWopiParams(wopiClient.parseWopiCallback(ctx, userAuthStr, row.callback));
@ -866,19 +871,28 @@ function* commandSetPassword(ctx, conn, cmd, outputData) {
const tenOpenProtectedFile = ctx.getCfg('services.CoAuthoring.server.openProtectedFile', cfgOpenProtectedFile); const tenOpenProtectedFile = ctx.getCfg('services.CoAuthoring.server.openProtectedFile', cfgOpenProtectedFile);
let hasDocumentPassword = false; let hasDocumentPassword = false;
let isDocumentPasswordModified = true;
let selectRes = yield taskResult.select(ctx, cmd.getDocId()); let selectRes = yield taskResult.select(ctx, cmd.getDocId());
if (selectRes.length > 0) { if (selectRes.length > 0) {
let row = selectRes[0]; let row = selectRes[0];
hasPasswordCol = undefined !== row.password; hasPasswordCol = undefined !== row.password;
if (commonDefines.FileStatus.Ok === row.status && sqlBase.DocumentPassword.prototype.getCurPassword(ctx, row.password)) { if (commonDefines.FileStatus.Ok === row.status) {
hasDocumentPassword = true; let documentPasswordCurEnc = sqlBase.DocumentPassword.prototype.getCurPassword(ctx, row.password);
if (documentPasswordCurEnc) {
hasDocumentPassword = true;
const passwordCurPlain = yield utils.decryptPassword(ctx, documentPasswordCurEnc);
const passwordPlain = yield utils.decryptPassword(ctx, cmd.getPassword());
isDocumentPasswordModified = passwordCurPlain !== passwordPlain;
}
} }
} }
//https://github.com/ONLYOFFICE/web-apps/blob/4a7879b4f88f315fe94d9f7d97c0ed8aa9f82221/apps/documenteditor/main/app/controller/Main.js#L1652 //https://github.com/ONLYOFFICE/web-apps/blob/4a7879b4f88f315fe94d9f7d97c0ed8aa9f82221/apps/documenteditor/main/app/controller/Main.js#L1652
//this.appOptions.isPasswordSupport = this.appOptions.isEdit && this.api.asc_isProtectionSupport() && (this.permissions.protect!==false); //this.appOptions.isPasswordSupport = this.appOptions.isEdit && this.api.asc_isProtectionSupport() && (this.permissions.protect!==false);
let isPasswordSupport = tenOpenProtectedFile && !conn.user?.view && false !== conn.permissions?.protect; let isPasswordSupport = tenOpenProtectedFile && !conn.user?.view && false !== conn.permissions?.protect;
ctx.logger.debug('commandSetPassword isEnterCorrectPassword=%s, hasDocumentPassword=%s, hasPasswordCol=%s, isPasswordSupport=%s', conn.isEnterCorrectPassword, hasDocumentPassword, hasPasswordCol, isPasswordSupport); ctx.logger.debug('commandSetPassword isEnterCorrectPassword=%s, hasDocumentPassword=%s, hasPasswordCol=%s, isPasswordSupport=%s', conn.isEnterCorrectPassword, hasDocumentPassword, hasPasswordCol, isPasswordSupport);
if (isPasswordSupport && (conn.isEnterCorrectPassword || !hasDocumentPassword) && hasPasswordCol) { if (isPasswordSupport && hasPasswordCol && hasDocumentPassword && !isDocumentPasswordModified) {
outputData.setStatus('ok');
} else if (isPasswordSupport && (conn.isEnterCorrectPassword || !hasDocumentPassword) && hasPasswordCol) {
let updateMask = new taskResult.TaskResultData(); let updateMask = new taskResult.TaskResultData();
updateMask.tenant = ctx.tenant; updateMask.tenant = ctx.tenant;
updateMask.key = cmd.getDocId(); updateMask.key = cmd.getDocId();
@ -1439,7 +1453,7 @@ exports.downloadAs = function(req, res) {
var selectRes = yield taskResult.select(ctx, docId); var selectRes = yield taskResult.select(ctx, docId);
var row = selectRes.length > 0 ? selectRes[0] : null; var row = selectRes.length > 0 ? selectRes[0] : null;
if (!cmd.getWithoutPassword()) { if (!cmd.getWithoutPassword()) {
addPasswordToCmd(ctx, cmd, row && row.password); addPasswordToCmd(ctx, cmd, row && row.password, row && row.change_id);
} }
addOriginFormat(ctx, cmd, row); addOriginFormat(ctx, cmd, row);
cmd.setData(req.body); cmd.setData(req.body);
@ -1777,7 +1791,7 @@ exports.saveFromChanges = function(ctx, docId, statusInfo, optFormat, opt_userId
cmd.setLCID(opt_userLcid); cmd.setLCID(opt_userLcid);
let userAuthStr = sqlBase.UserCallback.prototype.getCallbackByUserIndex(ctx, row.callback); let userAuthStr = sqlBase.UserCallback.prototype.getCallbackByUserIndex(ctx, row.callback);
cmd.setWopiParams(wopiClient.parseWopiCallback(ctx, userAuthStr, row.callback)); cmd.setWopiParams(wopiClient.parseWopiCallback(ctx, userAuthStr, row.callback));
addPasswordToCmd(ctx, cmd, row && row.password); addPasswordToCmd(ctx, cmd, row && row.password, row && row.change_id);
addOriginFormat(ctx, cmd, row); addOriginFormat(ctx, cmd, row);
yield* addRandomKeyTaskCmd(ctx, cmd); yield* addRandomKeyTaskCmd(ctx, cmd);
var queueData = getSaveTask(ctx, cmd); var queueData = getSaveTask(ctx, cmd);

6
FileConverter/sources/converter.js
View File

@ -1123,9 +1123,11 @@ function* ExecuteTask(ctx, task) {
let isTimeout = false; let isTimeout = false;
if (constants.NO_ERROR === error) { if (constants.NO_ERROR === error) {
({childRes, isTimeout} = yield* spawnProcess(ctx, builderParams, tempDirs, dataConvert, authorProps, getTaskTime, task, isInJwtToken)); ({childRes, isTimeout} = yield* spawnProcess(ctx, builderParams, tempDirs, dataConvert, authorProps, getTaskTime, task, isInJwtToken));
if (childRes && 0 !== childRes.status && !isTimeout && task.getFromChanges() const canRollback = childRes && 0 !== childRes.status && !isTimeout && task.getFromChanges()
&& constants.AVS_OFFICESTUDIO_FILE_OTHER_OOXML !== dataConvert.formatTo && constants.AVS_OFFICESTUDIO_FILE_OTHER_OOXML !== dataConvert.formatTo
&& !formatChecker.isOOXFormat(dataConvert.formatTo) && !cmd.getWopiParams()) { && !formatChecker.isOOXFormat(dataConvert.formatTo) && !formatChecker.isBrowserEditorFormat(dataConvert.formatTo)
&& !cmd.getWopiParams();
if (canRollback) {
ctx.logger.warn('rollback to save changes to ooxml. See assemblyFormatAsOrigin param. formatTo=%s', formatChecker.getStringFromFormat(dataConvert.formatTo)); ctx.logger.warn('rollback to save changes to ooxml. See assemblyFormatAsOrigin param. formatTo=%s', formatChecker.getStringFromFormat(dataConvert.formatTo));
let extOld = path.extname(dataConvert.fileTo); let extOld = path.extname(dataConvert.fileTo);
let extNew = '.' + formatChecker.getStringFromFormat(constants.AVS_OFFICESTUDIO_FILE_OTHER_OOXML); let extNew = '.' + formatChecker.getStringFromFormat(constants.AVS_OFFICESTUDIO_FILE_OTHER_OOXML);