Date: prev next · Thread: first prev next last
2016 Archives by date, by thread · List index


Hi,

On Wed, Feb 10, 2016 at 02:20:50PM -0500, Bryan Quigley wrote:
        Anyhow - I share your concern wrt. the attack surface that all these
old file filters provide for us; I attach a prototype patch that adds an
'EXOTIC' annotation to our filter descriptions. It is missing a UI
Interaction Handler piece (cf. the hole with the notes and so on in
there ;-) - we'll need a new request type I guess.

        My ideal would be to pop up a dialog saying:

        "You're asking LibreOffice to open a very unusual file-type.
         Unless you are certain that this file is indeed a <Lotus
         Word Pro> file it is safest to not open it.

         [ ] - never show this again

                      [ this is an unusual file ] [get me out of here ]"

        Of some kind =) is that something you'd be interested in working on ?
Thanks for the first pass code.  I generally don't find dialouges like
that to be super useful (many users just click right through).
However, in labeling them Exotic we could add a configuration option
to let system administrators disable them all in one go for a secure
site, etc.  I'll look into that more.

This of course makes the assumption that filters for common formats
(like .doc etc.) do not contain vulnerabilities, which is IMHO just
wishful thinking. IIRC there was exactly 1 CVE for import of non-MS file
format during the ~8 years I have been working on this code base. And I
think the likelihood to encounter a malformed (or even malicious) MS
Word document is far greater than, e.g., Hangul Word or AppleWorks
document. So the "secure site" aspect seems rather dubious to me.

Not to mention that users/admins in different countries (or even in
different professions) may have different ideas about which formats
should be considered "exotic".

D.

Context


Privacy Policy | Impressum (Legal Info) | Copyright information: Unless otherwise specified, all text and images on this website are licensed under the Creative Commons Attribution-Share Alike 3.0 License. This does not include the source code of LibreOffice, which is licensed under the Mozilla Public License (MPLv2). "LibreOffice" and "The Document Foundation" are registered trademarks of their corresponding registered owners or are in actual use as trademarks in one or more countries. Their respective logos and icons are also subject to international copyright laws. Use thereof is explained in our trademark policy.