[Libreoffice-bugs] [Bug 83665] New: External images should not be loaded by default, but should show an infobar that allows them to be loaded

[bugzilla-daemon]

https://bugs.freedesktop.org/show_bug.cgi?id=83665

          Priority: medium
            Bug ID: 83665
                CC: philip...@hotmail.com
          Assignee: libreoffice-bugs@lists.freedesktop.org
            Blocks: 83009
           Summary: External images should not be loaded by default, but
                    should show an infobar that allows them to be loaded
          Severity: normal
    Classification: Unclassified
                OS: All
          Reporter: fdb...@neosheffield.co.uk
          Hardware: Other
            Status: UNCONFIRMED
           Version: 4.3.1.2 release
         Component: UI
           Product: LibreOffice

Externally linked images are currently loaded in Writer (and presumably for
other document types as well) by default upon document load.

For several reasons, including the fact that this means documents can be
web-bugged under the default configuration, and the fact that from time to time
image parsing exploits occur, this does not seem like a sensible default
security setting.
(While an exploit image could as well be inserted directly into the document,
existing documents and templates would become silently exploitable by anyone
able to replace the target of existing HTTP-linked images, contrary to a user's
expectation that they'd have to actually download a document to be vulnerable)

Although this can be disabled globally in Options - LibreOffice - Security -
"Block any links from documents not among the trusted locations", I believe it
would be better good user experience for this to be an always/never/ask
tristate, with an infobar to allow loading (and possibly also linking to the
"Edit - Links" dialog to list the images in question?)

(* Is there also an option somewhere which applies specifically to image links?
I thought there was, but can't presently find one. The above option allows for
exceptions to be added for filesystem locations under the "Macro Security..."
dialog, but apparently not for arbitrary URLs. Some way of specifying URL
exceptions could also be useful)


See also bug 83662 - which allows images to be inserted in documents that
cannot be seen in the Navigator

-- 
You are receiving this mail because:
You are the assignee for the bug.

_______________________________________________
Libreoffice-bugs mailing list
Libreoffice-bugs@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/libreoffice-bugs