mir/libreoffice
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix USE_CONFIG_APPROVE_CONFIRMATION and USE_CONFIG_REJECT_CONFIRMATION

Browse Source 
They still showed UI in case of signed macros.
Two decisions were made, to improve security of USE_CONFIG_APPROVE_CONFIRMATION:
1. In case of High macro security mode, valid but untrusted certificate will be
   automatically rejected (because it is not safe to automatically add trusted
   certificates) - so in this mode, USE_CONFIG_APPROVE_CONFIRMATION is the same
   as USE_CONFIG_REJECT_CONFIRMATION;
2. In case of Medium macro security mode, valid but untrusted certificate will
   not automatically allow macros execution, but will proceed to the following
   checks - which on Windows will try to check the source's Security Zone, and
   may disallow macros based on that. Only after Security Zone check the macros
   will be automatically allowed.

Change-Id: I1a9c92c6b940b689599c5d106798ecfc691dad46
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159214
Tested-by: Jenkins
Reviewed-by: Mike Kaganski <mike.kaganski@collabora.com>
This commit is contained in:
Mike Kaganski
2023-11-09 16:12:45 +03:00
parent 4d263b48a1
commit 7a73eedf00
1 changed files with 20 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
sfx2/source/doc/docmacromode.cxx
View File

@@ -213,9 +213,12 @@ namespace sfx2
// should not ask any confirmations. FROM_LIST_AND_SIGNED_WARN should only allow // should not ask any confirmations. FROM_LIST_AND_SIGNED_WARN should only allow
// trusted signed macros at this point; so it may only ask for confirmation to add // trusted signed macros at this point; so it may only ask for confirmation to add
// certificates to trusted, and shouldn't show UI when trusted list is read-only. // certificates to trusted, and shouldn't show UI when trusted list is read-only.
const bool bAllowUI = nMacroExecutionMode != MacroExecMode::FROM_LIST_AND_SIGNED_NO_WARN const bool bAllowUI
&& (nMacroExecutionMode == MacroExecMode::ALWAYS_EXECUTE = nMacroExecutionMode != MacroExecMode::FROM_LIST_AND_SIGNED_NO_WARN
|| !SvtSecurityOptions::IsReadOnly(SvtSecurityOptions::EOption::MacroTrustedAuthors)); && eAutoConfirm == eNoAutoConfirm
&& (nMacroExecutionMode == MacroExecMode::ALWAYS_EXECUTE
|| !SvtSecurityOptions::IsReadOnly(
SvtSecurityOptions::EOption::MacroTrustedAuthors));
const bool bHasTrustedMacroSignature = m_xData->m_rDocumentAccess.hasTrustedScriptingSignature(bAllowUI ? rxInteraction : nullptr); const bool bHasTrustedMacroSignature = m_xData->m_rDocumentAccess.hasTrustedScriptingSignature(bAllowUI ? rxInteraction : nullptr);
if (bHasTrustedMacroSignature) if (bHasTrustedMacroSignature)
@@ -227,9 +230,20 @@ namespace sfx2
|| nSignatureState == SignatureState::NOTVALIDATED ) || nSignatureState == SignatureState::NOTVALIDATED )
{ {
// there is valid signature, but it is not from the trusted author // there is valid signature, but it is not from the trusted author
// this case includes explicit reject from user in the UI in cases of if (eAutoConfirm == eAutoConfirmApprove
// FROM_LIST_AND_SIGNED_WARN and ALWAYS_EXECUTE && nMacroExecutionMode == MacroExecMode::ALWAYS_EXECUTE)
return disallowMacroExecution(); {
// For ALWAYS_EXECUTE + eAutoConfirmApprove (USE_CONFIG_APPROVE_CONFIRMATION
// in Medium security mode), do not approve it right here; let Security Zone
// check below do its job first.
}
else
{
// All other cases of valid but untrusted signatures should result in denied
// macros here. This includes explicit reject from user in the UI in cases
// of FROM_LIST_AND_SIGNED_WARN and ALWAYS_EXECUTE
return disallowMacroExecution();
}
} }
// Other values of nSignatureState would result in either rejected macros // Other values of nSignatureState would result in either rejected macros
// (FROM_LIST_AND_SIGNED_*), or a confirmation. // (FROM_LIST_AND_SIGNED_*), or a confirmation.