Hello Peter, all, On Wed, May 05, 2021 at 05:44:17PM +0000, Peter Kovacs wrote:
> On 05.05.21 14:37, Arrigo Marchiori wrote: > > Hello, > > > > On Wed, May 05, 2021 at 07:08:11AM +0000, Peter Kovacs wrote: > > > > > The best approach I believe is to add a whitelist feature as for macro > > > files. > > > > > > Users can add then the links they wish to approve. > > Do you mean file-based whitelists instead of target-based? > > > > I will try to explain myself better: the current filter on AOO 4.1.10 > > is target-based, because it is the target of the link that triggers > > the warning. Are you suggesting to add a whitelist based on files, for > > example "allow any links in documents from this directory"? > > > > If so, would you use the same whitelist as for macros, or would you > > introduce another one? > > I do not think that it makes sense to allow > https://my.payload.crime/AOO_diskscrambler.ods to be seen as save target for > opening and macro execution at the same time. > > Better is to have both separated. And the simple practicable solution is to > just add an own list which allows targets to be listed. I see. But please let us distinguish targets and sources. The macros' whitelist contains _directories_ (I don't really like calling them folders, I hope you don't mind) whose files are trusted, with respect to macro execution. In your reply above you seem to discuss a whitelist of _link targets_? Not documents, containing links that shall always be followed? > If we would want to have a vision, where we should develop to, this would be > mine: > > We have One list and 2 properties. 1 property for hyperlink whitelisting, > the other one for (macro) execution. I like our 4 security stages. The four security levels currently available for macros, if I understand correctly, are based on a combination of: - digital signatures of the macros (signed or not), - trust of certain digital signatures (certificate trusted or not), - position of the document (directory whitelisted or not). This is... quite complex IMHO. Did you refer exactly to this model? Or shall we rather adopt a simpler one for links, for example only considering the directories whitelist? And to understand better: does AOO allow to sign individual macros? Or just the document containing them? I don't think that it allows to sign individual links within a document. > Example for a customized setup on a POSIX filesystem (security level 3 = > very high and 0 = low; first value is hyperlink, second value is macro > execution of this origin): > > /tmpĀ (3,3) => Everything in the temp folder does not open links or execute > macros > > ~/ (2,2) => something that is within the home path, but not a folder listed > below, may execute signed macros or open targets that have a trusted > certificate > > ~/Downloads (2,3) => Downloads may open Links with a trusted certificate but > not allow to execute any macros > > ~/onlymystuff (0,0) => this is my documents and I allow everything possible > here. > > ~/macro_examples (3,1) => delivered example I do not want them to execute, > but they may be not linked by another document. > > ftps://securecontent.org ( 2,2) => this links pointing to this target are > opened, and the downloaded file may execute macros if they are signed with a > trusted key. -- Arrigo --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org