Greetings all;
Apologies for the encrypted version that went to the lists.here it is
unencrypted.
thoughts on the subject in line knmc, the other Keith in the room. ;)
On 2021-05-05 08:37, Arrigo Marchiori wrote:
> Hello,
> 
> On Wed, May 05, 2021 at 07:08:11AM +0000, Peter Kovacs wrote:
> 
>> The best approach I believe is to add a whitelist feature as for macro
>> files.
>>
>> Users can add then the links they wish to approve.
From a strictly process standpoint. I see a major problem with a "white
list" that depends on a user manually entering data or picking from a
drop-down list or multiple check boxes. The "average user" who may well
not know what ftps or .uno:is and does is likely to go for the "all of
the above" option. Given that aim of what were a re discussing is a fix
to a security vulnerability, that would be the last thing we would want
anyone to choose.

> 
> Do you mean file-based whitelists instead of target-based?
> 
> I will try to explain myself better: the current filter on AOO 4.1.10
> is target-based, because it is the target of the link that triggers
> the warning. Are you suggesting to add a whitelist based on files, for
> example "allow any links in documents from this directory"?
> 
> If so, would you use the same whitelist as for macros, or would you
> introduce another one?
> 
> Other ideas that come to my mind at the moment, just for the sake of
> this discussion:
> 
>  1- whitelist individual targets such as ".uno:Reload" and any other
>  ``complaints'' we will received between one release and the next;

This could be a reasonable solution though I do see potential drawbacks.
        1) Is dependent on
> 
>  2- whitelist all ".uno:" targets (but would this open possible
>  malicious exploits?)
> 
>  3- add a generic box "don't ask any more" on the warning window, that
>  disables _any_ future warnings;
> 
>  4- add a generic box "don't ask any more" on the warning window, that
>  disables future warnings for the _protocol of the current link_ (for
>  example all http:// or ftp:// or uno: links);
> 
>  5- add a generic box "don't ask any more" on the warning window, that
>  disables future warnings for the _target of the current link_ (for
>  example ".uno:Reload" or "http://server.com/document.html";);
> 
>  6- .... any other ideas worth discussing? ....
> 
> Best regards.
> 


>> On 04.05.21 16:05, k...@kshelton.plus.com wrote:
>>> For some years I've had a Reload button in my Calc document to avoid having 
>>> to use the File menu. Just updated to 4.1.10 and now I get a message when 
>>> pressing Reload button:
>>>
>>> This hyperlink is going to open “.uno:Reload”. Do you want to proceed?
>>>
>>> Is there a way of switching off this message please?
>>>
>>> Thanks.
>>>
>>> Regards
>>> Keith Shelton
>>>
>>>
>> -- 
>> This is the Way! http://www.apache.org/theapacheway/index.html
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
>> For additional commands, e-mail: dev-h...@openoffice.apache.org
>>
> 




Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to