Date: prev next · Thread: first prev next last
2019 Archives by date, by thread · List index


Documents that contain macros trigger LibreOffice to present the
warning dialog that the document contains macros, and by default then
not allow the document to execute macros.

But documents that don't contain macros, but *call* scripts/macros
shipped with LibreOffice were explicitly put outside of that control

We then have a bunch of different ways to link various document events
like mouse-over or document-load or validate-cell-data to execution of
scripts.

We've had a series of problems where either:
 * A script shipped with LibreOffice should not have been trusted to be
called by document event callbacks
 * Or the document smuggles a script location url past restriction
checks and manages to execute a script on the target file system that
it shouldn't be allowed to access

And then a number of iterations of discovery of new ways to get past
added checks.

So recently I've made an effort to demote these "shared" built-in
scripts from their privileged position and to consider the presence of
a call to a script-like thing as equally hazardous as containing macros
to get that warning dialog for these cases. This has been backported to
6.2.7 and 6.3.1.

some more details are available in the commit 
https://cgit.freedesktop.org/libreoffice/core/commit/?h=libreoffice-6-2&id=35fe064a67b54b0680b4845477c9b8751edda160
which maintainers of LTS might find worthwhile backporting to their own
branches as an additional backstop.


Context


Privacy Policy | Impressum (Legal Info) | Copyright information: Unless otherwise specified, all text and images on this website are licensed under the Creative Commons Attribution-Share Alike 3.0 License. This does not include the source code of LibreOffice, which is licensed under the Mozilla Public License (MPLv2). "LibreOffice" and "The Document Foundation" are registered trademarks of their corresponding registered owners or are in actual use as trademarks in one or more countries. Their respective logos and icons are also subject to international copyright laws. Use thereof is explained in our trademark policy.