Early shortcut for cases requiring both macro and document signatures

This avoids a possible problem in High security mode, introduced in commit 1dc71daf7fa7204a98c75dac680af664ab9c8edb (Improve macro checks, 2021-01-28), where a valid but untrusted macro certificate initiates a UI asking to always allow this certificate; but no matter what user chose, macros will be disallowed when the document itself is unsigned. Now it will check the document signature state early. Change-Id: If2255be5da19f3de0090154f0b891ed9496e7bc6 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159105 Tested-by: Jenkins Reviewed-by: Mike Kaganski <mike.kaganski@collabora.com>
author: Mike Kaganski <mike.kaganski@collabora.com> 2023-11-08 10:31:05 +0300
committer: Mike Kaganski <mike.kaganski@collabora.com> 2023-11-09 07:20:30 +0100
commit: 47c564280e69e52c2a69cd553c654f9e04f3ae89 (patch)
tree: 514ceb87f6e523bab078668056c2ce32be135656
parent: fd2988a5911758cc6c56942c235857fd9a327fd4 (diff)
1 files changed, 19 insertions, 10 deletions
diff --git a/sfx2/source/doc/docmacromode.cxx b/sfx2/source/doc/docmacromode.cxx
index 377c14517586..2ab24c83cb78 100644
--- a/sfx2/source/doc/docmacromode.cxx
+++ b/sfx2/source/doc/docmacromode.cxx
@@ -189,6 +189,23 @@ namespace sfx2
             // check whether the document is signed with trusted certificate
             if ( nMacroExecutionMode != MacroExecMode::FROM_LIST )
             {
+                SignatureState nSignatureState = m_xData->m_rDocumentAccess.getScriptingSignatureState();
+
+                if (!bHasValidContentSignature
+                    && (nMacroExecutionMode == MacroExecMode::FROM_LIST_AND_SIGNED_NO_WARN
+                        || nMacroExecutionMode == MacroExecMode::FROM_LIST_AND_SIGNED_WARN)
+                    && m_xData->m_rDocumentAccess.macroCallsSeenWhileLoading())
+                {
+                    // When macros are required to be signed, and the document has events which call
+                    // macros, the document content needs to be signed, too. Do it here, and avoid
+                    // possible UI asking to always trust certificates, after which the user's choice
+                    // to allow macros would be ignored anyway.
+                    m_xData->m_bHasUnsignedContentError
+                        = nSignatureState == SignatureState::OK
+                          || nSignatureState == SignatureState::NOTVALIDATED;
+                    return disallowMacroExecution();
+                }
+
                 // At this point, the possible values of nMacroExecutionMode are: ALWAYS_EXECUTE,
                 // FROM_LIST_AND_SIGNED_WARN (the default), FROM_LIST_AND_SIGNED_NO_WARN.
                 // ALWAYS_EXECUTE corresponds to the Medium security level; it should ask for
@@ -196,25 +213,15 @@ namespace sfx2
                 // should not ask any confirmations. FROM_LIST_AND_SIGNED_WARN should only allow
                 // trusted signed macros at this point; so it may only ask for confirmation to add
                 // certificates to trusted, and shouldn't show UI when trusted list is read-only.
-                // the trusted macro check will also retrieve the signature state ( small optimization )
                 const bool bAllowUI = nMacroExecutionMode != MacroExecMode::FROM_LIST_AND_SIGNED_NO_WARN
                                                  && (nMacroExecutionMode == MacroExecMode::ALWAYS_EXECUTE
                                                      || !SvtSecurityOptions::IsReadOnly(SvtSecurityOptions::EOption::MacroTrustedAuthors));
                 const bool bHasTrustedMacroSignature = m_xData->m_rDocumentAccess.hasTrustedScriptingSignature(bAllowUI ? rxInteraction : nullptr);
 
-                SignatureState nSignatureState = m_xData->m_rDocumentAccess.getScriptingSignatureState();
                 if ( nSignatureState == SignatureState::BROKEN )
                 {
                     return disallowMacroExecution();
                 }
-                else if (nMacroExecutionMode != MacroExecMode::ALWAYS_EXECUTE
-                         && m_xData->m_rDocumentAccess.macroCallsSeenWhileLoading()
-                         && bHasTrustedMacroSignature && !bHasValidContentSignature)
-                {
-                    // When macros are signed, and the document has events which call macros, the document content needs to be signed too.
-                    m_xData->m_bHasUnsignedContentError = true;
-                    return disallowMacroExecution();
-                }
                 else if ( bHasTrustedMacroSignature )
                 {
                     // there is trusted macro signature, allow macro execution
@@ -224,6 +231,8 @@ namespace sfx2
                        || nSignatureState == SignatureState::NOTVALIDATED )
                 {
                     // there is valid signature, but it is not from the trusted author
+                    // this case includes explicit reject from user in the UI in cases of
+                    // FROM_LIST_AND_SIGNED_WARN and ALWAYS_EXECUTE
                     return disallowMacroExecution();
                 }
             }
author	Mike Kaganski <mike.kaganski@collabora.com>	2023-11-08 10:31:05 +0300
committer	Mike Kaganski <mike.kaganski@collabora.com>	2023-11-09 07:20:30 +0100
commit	47c564280e69e52c2a69cd553c654f9e04f3ae89 (patch)
tree	514ceb87f6e523bab078668056c2ce32be135656
parent	fd2988a5911758cc6c56942c235857fd9a327fd4 (diff)