diff options
| author | Mike Kaganski <mike.kaganski@collabora.com> | 2023-11-09 16:12:45 +0300 |
|---|---|---|
| committer | Miklos Vajna <vmiklos@collabora.com> | 2023-11-13 09:32:04 +0100 |
| commit | 17de201275120f2644b97a269f38d16b24bcadae (patch) | |
| tree | 47d4f092fb62255ec52235041f644a32c45383ac | |
| parent | e3743e615d094b51db76d52b77efcd4a74265beb (diff) | |
Fix USE_CONFIG_APPROVE_CONFIRMATION and USE_CONFIG_REJECT_CONFIRMATION
They still showed UI in case of signed macros.
Two decisions were made, to improve security of USE_CONFIG_APPROVE_CONFIRMATION:
1. In case of High macro security mode, valid but untrusted certificate will be
automatically rejected (because it is not safe to automatically add trusted
certificates) - so in this mode, USE_CONFIG_APPROVE_CONFIRMATION is the same
as USE_CONFIG_REJECT_CONFIRMATION;
2. In case of Medium macro security mode, valid but untrusted certificate will
not automatically allow macros execution, but will proceed to the following
checks - which on Windows will try to check the source's Security Zone, and
may disallow macros based on that. Only after Security Zone check the macros
will be automatically allowed.
Change-Id: I1a9c92c6b940b689599c5d106798ecfc691dad46
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159214
Tested-by: Jenkins
Reviewed-by: Mike Kaganski <mike.kaganski@collabora.com>
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159278
Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
| -rw-r--r-- | sfx2/source/doc/docmacromode.cxx | 26 |
1 files changed, 20 insertions, 6 deletions
diff --git a/sfx2/source/doc/docmacromode.cxx b/sfx2/source/doc/docmacromode.cxx index 80c1908fd787..37871e0e170a 100644 --- a/sfx2/source/doc/docmacromode.cxx +++ b/sfx2/source/doc/docmacromode.cxx @@ -213,9 +213,12 @@ namespace sfx2 // should not ask any confirmations. FROM_LIST_AND_SIGNED_WARN should only allow // trusted signed macros at this point; so it may only ask for confirmation to add // certificates to trusted, and shouldn't show UI when trusted list is read-only. - const bool bAllowUI = nMacroExecutionMode != MacroExecMode::FROM_LIST_AND_SIGNED_NO_WARN - && (nMacroExecutionMode == MacroExecMode::ALWAYS_EXECUTE - || !SvtSecurityOptions::IsReadOnly(SvtSecurityOptions::EOption::MacroTrustedAuthors)); + const bool bAllowUI + = nMacroExecutionMode != MacroExecMode::FROM_LIST_AND_SIGNED_NO_WARN + && eAutoConfirm == eNoAutoConfirm + && (nMacroExecutionMode == MacroExecMode::ALWAYS_EXECUTE + || !SvtSecurityOptions::IsReadOnly( + SvtSecurityOptions::EOption::MacroTrustedAuthors)); const bool bHasTrustedMacroSignature = m_xData->m_rDocumentAccess.hasTrustedScriptingSignature(bAllowUI ? rxInteraction : nullptr); if (bHasTrustedMacroSignature) @@ -227,9 +230,20 @@ namespace sfx2 || nSignatureState == SignatureState::NOTVALIDATED ) { // there is valid signature, but it is not from the trusted author - // this case includes explicit reject from user in the UI in cases of - // FROM_LIST_AND_SIGNED_WARN and ALWAYS_EXECUTE - return disallowMacroExecution(); + if (eAutoConfirm == eAutoConfirmApprove + && nMacroExecutionMode == MacroExecMode::ALWAYS_EXECUTE) + { + // For ALWAYS_EXECUTE + eAutoConfirmApprove (USE_CONFIG_APPROVE_CONFIRMATION + // in Medium security mode), do not approve it right here; let Security Zone + // check below do its job first. + } + else + { + // All other cases of valid but untrusted signatures should result in denied + // macros here. This includes explicit reject from user in the UI in cases + // of FROM_LIST_AND_SIGNED_WARN and ALWAYS_EXECUTE + return disallowMacroExecution(); + } } // Other values of nSignatureState would result in either rejected macros // (FROM_LIST_AND_SIGNED_*), or a confirmation. |