Documents that contain macros trigger LibreOffice to present the
warning dialog that the document contains macros, and by default then
not allow the document to execute macros.
But documents that don't contain macros, but *call* scripts/macros
shipped with LibreOffice were explicitly put outside of that control
We then have a bunch of different ways to link various document events
like mouse-over or document-load or validate-cell-data to execution of
scripts.
We've had a series of problems where either:
* A script shipped with LibreOffice should not have been trusted to be
called by document event callbacks
* Or the document smuggles a script location url past restriction
checks and manages to execute a script on the target file system that
it shouldn't be allowed to access
And then a number of iterations of discovery of new ways to get past
added checks.
So recently I've made an effort to demote these "shared" built-in
scripts from their privileged position and to consider the presence of
a call to a script-like thing as equally hazardous as containing macros
to get that warning dialog for these cases. This has been backported to
6.2.7 and 6.3.1.
some more details are available in the commit
https://cgit.freedesktop.org/libreoffice/core/commit/?h=libreoffice-6-2&id=35fe064a67b54b0680b4845477c9b8751edda160
which maintainers of LTS might find worthwhile backporting to their own
branches as an additional backstop.
Context
- security warning now additionally on *calling* scripts/macros · Caolán McNamara
Privacy Policy |
Impressum (Legal Info) |
Copyright information: Unless otherwise specified, all text and images
on this website are licensed under the
Creative Commons Attribution-Share Alike 3.0 License.
This does not include the source code of LibreOffice, which is
licensed under the Mozilla Public License (
MPLv2).
"LibreOffice" and "The Document Foundation" are
registered trademarks of their corresponding registered owners or are
in actual use as trademarks in one or more countries. Their respective
logos and icons are also subject to international copyright laws. Use
thereof is explained in our
trademark policy.