sfx2/source/doc/docmacromode.cxx | 26 ++++++++++++++++++++------
1 file changed, 20 insertions(+), 6 deletions(-)
New commits:
commit 7a73eedf00541b5ba56b81e7d78faef4247f046f
Author: Mike Kaganski <mike.kagan...@collabora.com>
AuthorDate: Thu Nov 9 16:12:45 2023 +0300
Commit: Mike Kaganski <mike.kagan...@collabora.com>
CommitDate: Thu Nov 9 18:37:26 2023 +0100
Fix USE_CONFIG_APPROVE_CONFIRMATION and USE_CONFIG_REJECT_CONFIRMATION
They still showed UI in case of signed macros.
Two decisions were made, to improve security of
USE_CONFIG_APPROVE_CONFIRMATION:
1. In case of High macro security mode, valid but untrusted certificate
will be
automatically rejected (because it is not safe to automatically add
trusted
certificates) - so in this mode, USE_CONFIG_APPROVE_CONFIRMATION is the
same
as USE_CONFIG_REJECT_CONFIRMATION;
2. In case of Medium macro security mode, valid but untrusted certificate
will
not automatically allow macros execution, but will proceed to the
following
checks - which on Windows will try to check the source's Security Zone,
and
may disallow macros based on that. Only after Security Zone check the
macros
will be automatically allowed.
Change-Id: I1a9c92c6b940b689599c5d106798ecfc691dad46
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159214
Tested-by: Jenkins
Reviewed-by: Mike Kaganski <mike.kagan...@collabora.com>
diff --git a/sfx2/source/doc/docmacromode.cxx b/sfx2/source/doc/docmacromode.cxx
index d64b0b60697f..4e9311593aed 100644
--- a/sfx2/source/doc/docmacromode.cxx
+++ b/sfx2/source/doc/docmacromode.cxx
@@ -213,9 +213,12 @@ namespace sfx2
// should not ask any confirmations. FROM_LIST_AND_SIGNED_WARN
should only allow
// trusted signed macros at this point; so it may only ask for
confirmation to add
// certificates to trusted, and shouldn't show UI when trusted
list is read-only.
- const bool bAllowUI = nMacroExecutionMode !=
MacroExecMode::FROM_LIST_AND_SIGNED_NO_WARN
- && (nMacroExecutionMode ==
MacroExecMode::ALWAYS_EXECUTE
- ||
!SvtSecurityOptions::IsReadOnly(SvtSecurityOptions::EOption::MacroTrustedAuthors));
+ const bool bAllowUI
+ = nMacroExecutionMode !=
MacroExecMode::FROM_LIST_AND_SIGNED_NO_WARN
+ && eAutoConfirm == eNoAutoConfirm
+ && (nMacroExecutionMode == MacroExecMode::ALWAYS_EXECUTE
+ || !SvtSecurityOptions::IsReadOnly(
+
SvtSecurityOptions::EOption::MacroTrustedAuthors));
const bool bHasTrustedMacroSignature =
m_xData->m_rDocumentAccess.hasTrustedScriptingSignature(bAllowUI ?
rxInteraction : nullptr);
if (bHasTrustedMacroSignature)
@@ -227,9 +230,20 @@ namespace sfx2
|| nSignatureState == SignatureState::NOTVALIDATED )
{
// there is valid signature, but it is not from the
trusted author
- // this case includes explicit reject from user in the UI
in cases of
- // FROM_LIST_AND_SIGNED_WARN and ALWAYS_EXECUTE
- return disallowMacroExecution();
+ if (eAutoConfirm == eAutoConfirmApprove
+ && nMacroExecutionMode ==
MacroExecMode::ALWAYS_EXECUTE)
+ {
+ // For ALWAYS_EXECUTE + eAutoConfirmApprove
(USE_CONFIG_APPROVE_CONFIRMATION
+ // in Medium security mode), do not approve it right
here; let Security Zone
+ // check below do its job first.
+ }
+ else
+ {
+ // All other cases of valid but untrusted signatures
should result in denied
+ // macros here. This includes explicit reject from
user in the UI in cases
+ // of FROM_LIST_AND_SIGNED_WARN and ALWAYS_EXECUTE
+ return disallowMacroExecution();
+ }
}
// Other values of nSignatureState would result in either
rejected macros
// (FROM_LIST_AND_SIGNED_*), or a confirmation.
