1 /* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
3 * This file is part of the LibreOffice project.
5 * This Source Code Form is subject to the terms of the Mozilla Public
6 * License, v. 2.0. If a copy of the MPL was not distributed with this
7 * file, You can obtain one at http://mozilla.org/MPL/2.0/.
9 * This file incorporates work covered by the following license notice:
11 * Licensed to the Apache Software Foundation (ASF) under one or more
12 * contributor license agreements. See the NOTICE file distributed
13 * with this work for additional information regarding copyright
14 * ownership. The ASF licenses this file to you under the Apache
15 * License, Version 2.0 (the "License"); you may not use this file
16 * except in compliance with the License. You may obtain a copy of
17 * the License at http://www.apache.org/licenses/LICENSE-2.0 .
20 #include <config_features.h>
22 #include <sfx2/docmacromode.hxx>
23 #include <sfx2/signaturestate.hxx>
24 #include <sfx2/docfile.hxx>
26 #include <com/sun/star/document/MacroExecMode.hpp>
27 #include <com/sun/star/task/ErrorCodeRequest.hpp>
28 #include <com/sun/star/task/DocumentMacroConfirmationRequest.hpp>
29 #include <com/sun/star/security/DocumentDigitalSignatures.hpp>
30 #include <com/sun/star/script/XLibraryContainer.hpp>
31 #include <com/sun/star/document/XEmbeddedScripts.hpp>
33 #include <comphelper/processfactory.hxx>
34 #include <framework/interaction.hxx>
35 #include <osl/file.hxx>
36 #include <unotools/securityoptions.hxx>
37 #include <svtools/sfxecode.hxx>
38 #include <tools/diagnose_ex.h>
39 #include <tools/urlobj.hxx>
42 #include <o3tl/char16_t2wchar_t.hxx>
43 #include <officecfg/Office/Common.hxx>
44 #include <systools/win32/comtools.hxx>
52 using ::com::sun::star::uno::Reference
;
53 using ::com::sun::star::task::XInteractionHandler
;
54 using ::com::sun::star::uno::Any
;
55 using ::com::sun::star::uno::Sequence
;
56 using ::com::sun::star::task::DocumentMacroConfirmationRequest
;
57 using ::com::sun::star::task::ErrorCodeRequest
;
58 using ::com::sun::star::uno::Exception
;
59 using ::com::sun::star::security::DocumentDigitalSignatures
;
60 using ::com::sun::star::security::XDocumentDigitalSignatures
;
61 using ::com::sun::star::embed::XStorage
;
62 using ::com::sun::star::document::XEmbeddedScripts
;
63 using ::com::sun::star::script::XLibraryContainer
;
64 using ::com::sun::star::container::XNameAccess
;
65 using ::com::sun::star::uno::UNO_QUERY_THROW
;
67 namespace MacroExecMode
= ::com::sun::star::document::MacroExecMode
;
70 //= DocumentMacroMode_Data
72 struct DocumentMacroMode_Data
74 IMacroDocumentAccess
& m_rDocumentAccess
;
75 bool m_bMacroDisabledMessageShown
;
76 bool m_bDocMacroDisabledMessageShown
;
78 explicit DocumentMacroMode_Data( IMacroDocumentAccess
& rDocumentAccess
)
79 :m_rDocumentAccess( rDocumentAccess
)
80 ,m_bMacroDisabledMessageShown( false )
81 ,m_bDocMacroDisabledMessageShown( false )
92 void lcl_showGeneralSfxErrorOnce( const Reference
< XInteractionHandler
>& rxHandler
, ErrCode nSfxErrorCode
, bool& rbAlreadyShown
)
97 ErrorCodeRequest aErrorCodeRequest
;
98 aErrorCodeRequest
.ErrCode
= sal_uInt32(nSfxErrorCode
);
100 SfxMedium::CallApproveHandler( rxHandler
, makeAny( aErrorCodeRequest
), false );
101 rbAlreadyShown
= true;
105 void lcl_showMacrosDisabledError( const Reference
< XInteractionHandler
>& rxHandler
, bool& rbAlreadyShown
)
107 lcl_showGeneralSfxErrorOnce( rxHandler
, ERRCODE_SFX_MACROS_SUPPORT_DISABLED
, rbAlreadyShown
);
111 void lcl_showDocumentMacrosDisabledError( const Reference
< XInteractionHandler
>& rxHandler
, bool& rbAlreadyShown
)
114 lcl_showGeneralSfxErrorOnce( rxHandler
, ERRCODE_SFX_DOCUMENT_MACRO_DISABLED_MAC
, rbAlreadyShown
);
116 lcl_showGeneralSfxErrorOnce( rxHandler
, ERRCODE_SFX_DOCUMENT_MACRO_DISABLED
, rbAlreadyShown
);
120 void lcl_showMacrosDisabledUnsignedContentError( const Reference
< XInteractionHandler
>& rxHandler
, bool& rbAlreadyShown
)
122 lcl_showGeneralSfxErrorOnce( rxHandler
, ERRCODE_SFX_DOCUMENT_MACRO_DISABLED_CONTENT_UNSIGNED
, rbAlreadyShown
);
125 bool lcl_showMacroWarning( const Reference
< XInteractionHandler
>& rxHandler
,
126 const OUString
& rDocumentLocation
)
128 DocumentMacroConfirmationRequest aRequest
;
129 aRequest
.DocumentURL
= rDocumentLocation
;
130 return SfxMedium::CallApproveHandler( rxHandler
, makeAny( aRequest
), true );
134 //= DocumentMacroMode
135 DocumentMacroMode::DocumentMacroMode( IMacroDocumentAccess
& rDocumentAccess
)
136 :m_xData( std::make_shared
<DocumentMacroMode_Data
>( rDocumentAccess
) )
140 bool DocumentMacroMode::allowMacroExecution()
142 m_xData
->m_rDocumentAccess
.setCurrentMacroExecMode( MacroExecMode::ALWAYS_EXECUTE_NO_WARN
);
146 bool DocumentMacroMode::disallowMacroExecution()
148 m_xData
->m_rDocumentAccess
.setCurrentMacroExecMode( MacroExecMode::NEVER_EXECUTE
);
152 bool DocumentMacroMode::adjustMacroMode( const Reference
< XInteractionHandler
>& rxInteraction
, bool bHasValidContentSignature
)
154 if ( SvtSecurityOptions::IsMacroDisabled() )
156 // no macro should be executed at all
157 lcl_showMacrosDisabledError( rxInteraction
, m_xData
->m_bMacroDisabledMessageShown
);
158 return disallowMacroExecution();
161 // get setting from configuration if required
162 enum AutoConfirmation
168 AutoConfirmation
eAutoConfirm( eNoAutoConfirm
);
170 sal_Int16 nMacroExecutionMode
= m_xData
->m_rDocumentAccess
.getCurrentMacroExecMode();
171 if ( ( nMacroExecutionMode
== MacroExecMode::USE_CONFIG
)
172 || ( nMacroExecutionMode
== MacroExecMode::USE_CONFIG_REJECT_CONFIRMATION
)
173 || ( nMacroExecutionMode
== MacroExecMode::USE_CONFIG_APPROVE_CONFIRMATION
)
176 // check confirm first, as nMacroExecutionMode is always overwritten by the GetMacroSecurityLevel() switch
177 if (nMacroExecutionMode
== MacroExecMode::USE_CONFIG_REJECT_CONFIRMATION
)
178 eAutoConfirm
= eAutoConfirmReject
;
179 else if (nMacroExecutionMode
== MacroExecMode::USE_CONFIG_APPROVE_CONFIRMATION
)
180 eAutoConfirm
= eAutoConfirmApprove
;
182 switch ( SvtSecurityOptions::GetMacroSecurityLevel() )
184 case 3: // "Very high"
185 nMacroExecutionMode
= MacroExecMode::FROM_LIST_NO_WARN
;
188 nMacroExecutionMode
= MacroExecMode::FROM_LIST_AND_SIGNED_WARN
;
191 nMacroExecutionMode
= MacroExecMode::ALWAYS_EXECUTE
;
194 nMacroExecutionMode
= MacroExecMode::ALWAYS_EXECUTE_NO_WARN
;
197 OSL_FAIL( "DocumentMacroMode::adjustMacroMode: unexpected macro security level!" );
198 nMacroExecutionMode
= MacroExecMode::NEVER_EXECUTE
;
202 if ( nMacroExecutionMode
== MacroExecMode::NEVER_EXECUTE
)
203 return disallowMacroExecution();
205 if ( nMacroExecutionMode
== MacroExecMode::ALWAYS_EXECUTE_NO_WARN
)
206 return allowMacroExecution();
208 SignatureState nSignatureState
= SignatureState::UNKNOWN
;
209 const OUString
sURL(m_xData
->m_rDocumentAccess
.getDocumentLocation());
212 // get document location from medium name and check whether it is a trusted one
213 // the service is created without document version, since it is not of interest here
214 Reference
< XDocumentDigitalSignatures
> xSignatures(DocumentDigitalSignatures::createDefault(::comphelper::getProcessComponentContext()));
215 INetURLObject
aURLReferer(sURL
);
217 OUString aLocation
= aURLReferer
.GetMainURL( INetURLObject::DecodeMechanism::NONE
);
219 if ( !aLocation
.isEmpty() && xSignatures
->isLocationTrusted( aLocation
) )
221 return allowMacroExecution();
224 // at this point it is clear that the document is not in the secure location
225 if ( nMacroExecutionMode
== MacroExecMode::FROM_LIST_NO_WARN
)
227 lcl_showDocumentMacrosDisabledError( rxInteraction
, m_xData
->m_bDocMacroDisabledMessageShown
);
228 return disallowMacroExecution();
231 // check whether the document is signed with trusted certificate
232 if ( nMacroExecutionMode
!= MacroExecMode::FROM_LIST
)
234 nSignatureState
= m_xData
->m_rDocumentAccess
.getScriptingSignatureState();
236 if (!bHasValidContentSignature
237 && (nMacroExecutionMode
== MacroExecMode::FROM_LIST_AND_SIGNED_NO_WARN
238 || nMacroExecutionMode
== MacroExecMode::FROM_LIST_AND_SIGNED_WARN
)
239 && m_xData
->m_rDocumentAccess
.macroCallsSeenWhileLoading())
241 // When macros are required to be signed, and the document has events which call
242 // macros, the document content needs to be signed, too. Do it here, and avoid
243 // possible UI asking to always trust certificates, after which the user's choice
244 // to allow macros would be ignored anyway.
245 lcl_showMacrosDisabledUnsignedContentError(rxInteraction
, m_xData
->m_bDocMacroDisabledMessageShown
);
246 return disallowMacroExecution();
249 // At this point, the possible values of nMacroExecutionMode are: ALWAYS_EXECUTE,
250 // FROM_LIST_AND_SIGNED_WARN (the default), FROM_LIST_AND_SIGNED_NO_WARN.
251 // ALWAYS_EXECUTE corresponds to the Medium security level; it should ask for
252 // confirmation when macros are unsigned or untrusted. FROM_LIST_AND_SIGNED_NO_WARN
253 // should not ask any confirmations. FROM_LIST_AND_SIGNED_WARN should only allow
254 // trusted signed macros at this point; so it may only ask for confirmation to add
255 // certificates to trusted, and shouldn't show UI when trusted list is read-only.
257 = nMacroExecutionMode
!= MacroExecMode::FROM_LIST_AND_SIGNED_NO_WARN
258 && eAutoConfirm
== eNoAutoConfirm
259 && (nMacroExecutionMode
== MacroExecMode::ALWAYS_EXECUTE
260 || !SvtSecurityOptions::IsReadOnly(
261 SvtSecurityOptions::EOption::MacroTrustedAuthors
));
262 const bool bHasTrustedMacroSignature
= m_xData
->m_rDocumentAccess
.hasTrustedScriptingSignature(bAllowUI
? rxInteraction
: nullptr);
264 if (bHasTrustedMacroSignature
)
266 // there is trusted macro signature, allow macro execution
267 return allowMacroExecution();
269 else if ( nSignatureState
== SignatureState::OK
270 || nSignatureState
== SignatureState::NOTVALIDATED
)
272 // there is valid signature, but it is not from the trusted author
273 if (eAutoConfirm
== eAutoConfirmApprove
274 && nMacroExecutionMode
== MacroExecMode::ALWAYS_EXECUTE
)
276 // For ALWAYS_EXECUTE + eAutoConfirmApprove (USE_CONFIG_APPROVE_CONFIRMATION
277 // in Medium security mode), do not approve it right here; let Security Zone
278 // check below do its job first.
282 // All other cases of valid but untrusted signatures should result in denied
283 // macros here. This includes explicit reject from user in the UI in cases
284 // of FROM_LIST_AND_SIGNED_WARN and ALWAYS_EXECUTE
286 lcl_showDocumentMacrosDisabledError(rxInteraction
, m_xData
->m_bDocMacroDisabledMessageShown
);
287 return disallowMacroExecution();
290 // Other values of nSignatureState would result in either rejected macros
291 // (FROM_LIST_AND_SIGNED_*), or a confirmation.
294 catch ( const Exception
& )
296 DBG_UNHANDLED_EXCEPTION("sfx.doc");
299 // at this point it is clear that the document is neither in secure location nor signed with trusted certificate
300 if ((nMacroExecutionMode
== MacroExecMode::FROM_LIST_AND_SIGNED_NO_WARN
)
301 || (nMacroExecutionMode
== MacroExecMode::FROM_LIST_AND_SIGNED_WARN
))
303 if (nMacroExecutionMode
== MacroExecMode::FROM_LIST_AND_SIGNED_WARN
)
304 lcl_showDocumentMacrosDisabledError(rxInteraction
, m_xData
->m_bDocMacroDisabledMessageShown
);
306 return disallowMacroExecution();
310 // Windows specific: try to decide macros loading depending on Windows Security Zones
311 // (is the file local, or it was downloaded from internet, etc?)
313 osl::FileBase::getSystemPathFromFileURL(sURL
, sFilePath
);
314 sal::systools::COMReference
<IZoneIdentifier
> pZoneId
;
315 pZoneId
.CoCreateInstance(CLSID_PersistentZoneIdentifier
);
316 sal::systools::COMReference
<IPersistFile
> pPersist(pZoneId
, sal::systools::COM_QUERY
);
318 if (!pPersist
|| !SUCCEEDED(pPersist
->Load(o3tl::toW(sFilePath
.getStr()), STGM_READ
)) ||
319 !SUCCEEDED(pZoneId
->GetId(&dwZone
)))
321 // no Security Zone info found -> assume a local file, not
323 dwZone
= URLZONE_LOCAL_MACHINE
;
326 // determine action from zone and settings
329 case URLZONE_LOCAL_MACHINE
:
330 nAction
= officecfg::Office::Common::Security::Scripting::WindowsSecurityZone::ZoneLocal::get();
332 case URLZONE_INTRANET
:
333 nAction
= officecfg::Office::Common::Security::Scripting::WindowsSecurityZone::ZoneIntranet::get();
335 case URLZONE_TRUSTED
:
336 nAction
= officecfg::Office::Common::Security::Scripting::WindowsSecurityZone::ZoneTrusted::get();
338 case URLZONE_INTERNET
:
339 nAction
= officecfg::Office::Common::Security::Scripting::WindowsSecurityZone::ZoneInternet::get();
341 case URLZONE_UNTRUSTED
:
342 nAction
= officecfg::Office::Common::Security::Scripting::WindowsSecurityZone::ZoneUntrusted::get();
345 // unknown zone, let's ask the user
356 if (nSignatureState
!= SignatureState::BROKEN
357 && nSignatureState
!= SignatureState::INVALID
)
358 return allowMacroExecution();
361 return disallowMacroExecution();
364 // confirmation is required
365 bool bSecure
= false;
367 if ( eAutoConfirm
== eNoAutoConfirm
)
369 OUString
sReferrer(sURL
);
370 osl::FileBase::getSystemPathFromFileURL(sReferrer
, sReferrer
);
372 bSecure
= lcl_showMacroWarning( rxInteraction
, sReferrer
);
375 bSecure
= ( eAutoConfirm
== eAutoConfirmApprove
);
377 return ( bSecure
? allowMacroExecution() : disallowMacroExecution() );
381 bool DocumentMacroMode::isMacroExecutionDisallowed() const
383 return m_xData
->m_rDocumentAccess
.getCurrentMacroExecMode() == MacroExecMode::NEVER_EXECUTE
;
387 bool DocumentMacroMode::containerHasBasicMacros( const Reference
< XLibraryContainer
>& xContainer
)
389 bool bHasMacroLib
= false;
392 if ( xContainer
.is() )
394 // a library container exists; check if it's empty
396 // if there are libraries except the "Standard" library
397 // we assume that they are not empty (because they have been created by the user)
398 if ( !xContainer
->hasElements() )
399 bHasMacroLib
= false;
402 static const OUStringLiteral
aStdLibName( u
"Standard" );
403 static const OUStringLiteral
aVBAProject( u
"VBAProject" );
404 const Sequence
< OUString
> aElements
= xContainer
->getElementNames();
405 for( const OUString
& aElement
: aElements
)
407 if( aElement
== aStdLibName
|| aElement
== aVBAProject
)
409 Reference
< XNameAccess
> xLib
;
410 Any aAny
= xContainer
->getByName( aElement
);
412 if ( xLib
.is() && xLib
->hasElements() )
421 catch( const Exception
& )
423 DBG_UNHANDLED_EXCEPTION("sfx.doc");
429 bool DocumentMacroMode::hasMacroLibrary() const
431 bool bHasMacroLib
= false;
432 #if HAVE_FEATURE_SCRIPTING
435 Reference
< XEmbeddedScripts
> xScripts( m_xData
->m_rDocumentAccess
.getEmbeddedDocumentScripts() );
436 Reference
< XLibraryContainer
> xContainer
;
438 xContainer
.set( xScripts
->getBasicLibraries(), UNO_QUERY_THROW
);
439 bHasMacroLib
= containerHasBasicMacros( xContainer
);
442 catch( const Exception
& )
444 DBG_UNHANDLED_EXCEPTION("sfx.doc");
451 bool DocumentMacroMode::storageHasMacros( const Reference
< XStorage
>& rxStorage
)
453 bool bHasMacros
= false;
454 if ( rxStorage
.is() )
458 static constexpr OUStringLiteral
s_sBasicStorageName( u
"Basic" );
459 static constexpr OUStringLiteral
s_sScriptsStorageName( u
"Scripts" );
461 bHasMacros
=( ( rxStorage
->hasByName( s_sBasicStorageName
)
462 && rxStorage
->isStorageElement( s_sBasicStorageName
)
464 || ( rxStorage
->hasByName( s_sScriptsStorageName
)
465 && rxStorage
->isStorageElement( s_sScriptsStorageName
)
469 catch ( const Exception
& )
471 DBG_UNHANDLED_EXCEPTION("sfx.doc");
477 bool DocumentMacroMode::hasMacros() const
479 return m_xData
->m_rDocumentAccess
.documentStorageHasMacros() || hasMacroLibrary() || m_xData
->m_rDocumentAccess
.macroCallsSeenWhileLoading();
482 bool DocumentMacroMode::checkMacrosOnLoading( const Reference
< XInteractionHandler
>& rxInteraction
, bool bHasValidContentSignature
, bool bHasMacros
)
485 if ( SvtSecurityOptions::IsMacroDisabled() )
487 // no macro should be executed at all
488 bAllow
= disallowMacroExecution();
494 bAllow
= adjustMacroMode( rxInteraction
, bHasValidContentSignature
);
496 else if ( !isMacroExecutionDisallowed() )
498 // if macros will be added by the user later, the security check is obsolete
499 bAllow
= allowMacroExecution();
509 /* vim:set shiftwidth=4 softtabstop=4 expandtab: */