Greetings all; Apologies for the encrypted version that went to the lists.here it is unencrypted. thoughts on the subject in line knmc, the other Keith in the room. ;) On 2021-05-05 08:37, Arrigo Marchiori wrote: > Hello, > > On Wed, May 05, 2021 at 07:08:11AM +0000, Peter Kovacs wrote: > >> The best approach I believe is to add a whitelist feature as for macro >> files. >> >> Users can add then the links they wish to approve. From a strictly process standpoint. I see a major problem with a "white list" that depends on a user manually entering data or picking from a drop-down list or multiple check boxes. The "average user" who may well not know what ftps or .uno:is and does is likely to go for the "all of the above" option. Given that aim of what were a re discussing is a fix to a security vulnerability, that would be the last thing we would want anyone to choose.
> > Do you mean file-based whitelists instead of target-based? > > I will try to explain myself better: the current filter on AOO 4.1.10 > is target-based, because it is the target of the link that triggers > the warning. Are you suggesting to add a whitelist based on files, for > example "allow any links in documents from this directory"? > > If so, would you use the same whitelist as for macros, or would you > introduce another one? > > Other ideas that come to my mind at the moment, just for the sake of > this discussion: > > 1- whitelist individual targets such as ".uno:Reload" and any other > ``complaints'' we will received between one release and the next; This could be a reasonable solution though I do see potential drawbacks. 1) Is dependent on > > 2- whitelist all ".uno:" targets (but would this open possible > malicious exploits?) > > 3- add a generic box "don't ask any more" on the warning window, that > disables _any_ future warnings; > > 4- add a generic box "don't ask any more" on the warning window, that > disables future warnings for the _protocol of the current link_ (for > example all http:// or ftp:// or uno: links); > > 5- add a generic box "don't ask any more" on the warning window, that > disables future warnings for the _target of the current link_ (for > example ".uno:Reload" or "http://server.com/document.html"); > > 6- .... any other ideas worth discussing? .... > > Best regards. > >> On 04.05.21 16:05, k...@kshelton.plus.com wrote: >>> For some years I've had a Reload button in my Calc document to avoid having >>> to use the File menu. Just updated to 4.1.10 and now I get a message when >>> pressing Reload button: >>> >>> This hyperlink is going to open “.uno:Reload”. Do you want to proceed? >>> >>> Is there a way of switching off this message please? >>> >>> Thanks. >>> >>> Regards >>> Keith Shelton >>> >>> >> -- >> This is the Way! http://www.apache.org/theapacheway/index.html >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org >> For additional commands, e-mail: dev-h...@openoffice.apache.org >> >
signature.asc
Description: OpenPGP digital signature