https://bugs.documentfoundation.org/show_bug.cgi?id=83665
--- Comment #3 from Jérôme Augé <[email protected]> --- I just stumbled on this case (i.e. automatic loading of external resources) with a LibreOffice in server mode (but also with the desktop version). Is there a way (LibreOffice setting or option) to disable the loading of external HTTP resources? Otherwise, this means an outside attacker can perform arbitrary HTTP requests from within a corporate LAN for example. The attacker creates a document with special "xlink:href" URLs designed to exploit internal services. It then sends this document to a corporate user which will open the file from his computer on the LAN, and LibreOffice will perform the HTTP requests designed by the attacker. I consider this a serious security threat. In a sense, it looks like the XXE (XML External Entity Processing) vulnerabilities. Without a global security switch to disable the loading of these external resources, the only solution I see to mitigate this is to manually sanitize the "content.xml", to remove any images having HTTP URLs in "xlink:href", before opening the document with LibreOffice. Regards, Jérôme -- You are receiving this mail because: You are the assignee for the bug.
_______________________________________________ Libreoffice-bugs mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/libreoffice-bugs
