https://bugs.documentfoundation.org/show_bug.cgi?id=158090
--- Comment #1 from Mike Kaganski <[email protected]> --- Current implementation of DocumentMacroMode::adjustMacroMode results in this (as an example, take Medium macro security level, and a document with macro bound to events, not in trusted location): > Document is NOT signed, macro is unsigned: ask and follow the choice > (OK) > Document is NOT signed, macro is signed trusted: deny silently > unconditionally (?) > Document is NOT signed, macro is signed untrusted: ask, then deny > unconditionally (???) > Document is NOT signed, macro is signed broken: deny silently > unconditionally (?) > Document is NOT signed, macro is signed invalid: ask and follow the choice > (! IMO OK) > > Document is signed, macro is unsigned: ask and follow the choice > (OK) > Document is signed, macro is signed trusted: allow silently > unconditionally (OK) > Document is signed, macro is signed untrusted: ask and follow the choice > (OK) > Document is signed, macro is signed broken: deny silently > unconditionally (?) > Document is signed, macro is signed invalid: ask and follow the choice > (! IMO OK) And here questions arise: why unsigned document and unsigned macro is less dangerous than unsigned document and a macro signed with a valid trusted signature? The latter is so much dangerous, that user can't use that, unless they set their security to the lowest level possible? Why, at the same time, unsigned document with a macro having an INVALID signature allows user to make their choice? Why the explicit choice made when the macro is valid but untrusted, is ignored when document is unsigned? I think, that the status of document signature should not matter here. In fact, current implementation disallows most reasonable use of macro signing in organizations, where administrators might want to restrict to use of signed macros only; but requiring every document having these macros be signed would be overkill; and in case of databases, that would be simply impossible (note that databases allow macros signed using API). -- You are receiving this mail because: You are the assignee for the bug.
