diff options
| author | Mike Kaganski <mike.kaganski@collabora.com> | 2023-11-09 16:12:45 +0300 |
|---|---|---|
| committer | Mike Kaganski <mike.kaganski@collabora.com> | 2023-12-07 15:13:20 +0300 |
| commit | cba0fc949d8d3c609d4ce99453fcd75f11d0861b (patch) | |
| tree | 5eafe7b0614939a56df715159a9c57f47452900c | |
| parent | d6d45c5d0dad86e3d024d7a187774e3bc4af0c53 (diff) | |
Fix USE_CONFIG_APPROVE_CONFIRMATION and USE_CONFIG_REJECT_CONFIRMATIONmimo-7.5.9.2.M1
They still showed UI in case of signed macros.
Two decisions were made, to improve security of USE_CONFIG_APPROVE_CONFIRMATION:
1. In case of High macro security mode, valid but untrusted certificate will be
automatically rejected (because it is not safe to automatically add trusted
certificates) - so in this mode, USE_CONFIG_APPROVE_CONFIRMATION is the same
as USE_CONFIG_REJECT_CONFIRMATION;
2. In case of Medium macro security mode, valid but untrusted certificate will
not automatically allow macros execution, but will proceed to the following
checks - which on Windows will try to check the source's Security Zone, and
may disallow macros based on that. Only after Security Zone check the macros
will be automatically allowed.
Change-Id: I1a9c92c6b940b689599c5d106798ecfc691dad46
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159214
Tested-by: Jenkins
Reviewed-by: Mike Kaganski <mike.kaganski@collabora.com>
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159278
Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
| -rw-r--r-- | sfx2/source/doc/docmacromode.cxx | 30 |
1 files changed, 22 insertions, 8 deletions
diff --git a/sfx2/source/doc/docmacromode.cxx b/sfx2/source/doc/docmacromode.cxx index 103a079a31c5..c2f48d85a9d3 100644 --- a/sfx2/source/doc/docmacromode.cxx +++ b/sfx2/source/doc/docmacromode.cxx @@ -253,9 +253,12 @@ namespace sfx2 // should not ask any confirmations. FROM_LIST_AND_SIGNED_WARN should only allow // trusted signed macros at this point; so it may only ask for confirmation to add // certificates to trusted, and shouldn't show UI when trusted list is read-only. - const bool bAllowUI = nMacroExecutionMode != MacroExecMode::FROM_LIST_AND_SIGNED_NO_WARN - && (nMacroExecutionMode == MacroExecMode::ALWAYS_EXECUTE - || !SvtSecurityOptions::IsReadOnly(SvtSecurityOptions::EOption::MacroTrustedAuthors)); + const bool bAllowUI + = nMacroExecutionMode != MacroExecMode::FROM_LIST_AND_SIGNED_NO_WARN + && eAutoConfirm == eNoAutoConfirm + && (nMacroExecutionMode == MacroExecMode::ALWAYS_EXECUTE + || !SvtSecurityOptions::IsReadOnly( + SvtSecurityOptions::EOption::MacroTrustedAuthors)); const bool bHasTrustedMacroSignature = m_xData->m_rDocumentAccess.hasTrustedScriptingSignature(bAllowUI ? rxInteraction : nullptr); if (bHasTrustedMacroSignature) @@ -267,11 +270,22 @@ namespace sfx2 || nSignatureState == SignatureState::NOTVALIDATED ) { // there is valid signature, but it is not from the trusted author - // this case includes explicit reject from user in the UI in cases of - // FROM_LIST_AND_SIGNED_WARN and ALWAYS_EXECUTE - if (!bAllowUI) - lcl_showDocumentMacrosDisabledError(rxInteraction, m_xData->m_bDocMacroDisabledMessageShown); - return disallowMacroExecution(); + if (eAutoConfirm == eAutoConfirmApprove + && nMacroExecutionMode == MacroExecMode::ALWAYS_EXECUTE) + { + // For ALWAYS_EXECUTE + eAutoConfirmApprove (USE_CONFIG_APPROVE_CONFIRMATION + // in Medium security mode), do not approve it right here; let Security Zone + // check below do its job first. + } + else + { + // All other cases of valid but untrusted signatures should result in denied + // macros here. This includes explicit reject from user in the UI in cases + // of FROM_LIST_AND_SIGNED_WARN and ALWAYS_EXECUTE + if (!bAllowUI) + lcl_showDocumentMacrosDisabledError(rxInteraction, m_xData->m_bDocMacroDisabledMessageShown); + return disallowMacroExecution(); + } } // Other values of nSignatureState would result in either rejected macros // (FROM_LIST_AND_SIGNED_*), or a confirmation. |