search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Fix USE_CONFIG_APPROVE_CONFIRMATION and USE_CONFIG_REJECT_CONFIRMATION
[LibreOffice.git] / sfx2 / source / doc / docmacromode.cxx
blob02f568ac6027b173110728bee93aa3aa2bca8e51
1 /* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
2 /*
3 * This file is part of the LibreOffice project.
4 *
5 * This Source Code Form is subject to the terms of the Mozilla Public
6 * License, v. 2.0. If a copy of the MPL was not distributed with this
7 * file, You can obtain one at http://mozilla.org/MPL/2.0/.
8 *
9 * This file incorporates work covered by the following license notice:
10 *
11 * Licensed to the Apache Software Foundation (ASF) under one or more
12 * contributor license agreements. See the NOTICE file distributed
13 * with this work for additional information regarding copyright
14 * ownership. The ASF licenses this file to you under the Apache
15 * License, Version 2.0 (the "License"); you may not use this file
16 * except in compliance with the License. You may obtain a copy of
17 * the License at http://www.apache.org/licenses/LICENSE-2.0 .
18 */
19
20 #include <config_features.h>
21
22 #include <sfx2/docmacromode.hxx>
23 #include <sfx2/signaturestate.hxx>
24 #include <sfx2/docfile.hxx>
25
26 #include <com/sun/star/document/MacroExecMode.hpp>
27 #include <com/sun/star/task/ErrorCodeRequest.hpp>
28 #include <com/sun/star/task/DocumentMacroConfirmationRequest.hpp>
29 #include <com/sun/star/security/DocumentDigitalSignatures.hpp>
30 #include <com/sun/star/script/XLibraryContainer.hpp>
31 #include <com/sun/star/document/XEmbeddedScripts.hpp>
32
33 #include <comphelper/processfactory.hxx>
34 #include <framework/interaction.hxx>
35 #include <osl/file.hxx>
36 #include <unotools/securityoptions.hxx>
37 #include <svtools/sfxecode.hxx>
38 #include <tools/diagnose_ex.h>
39 #include <tools/urlobj.hxx>
40
41 #if defined(_WIN32)
42 #include <o3tl/char16_t2wchar_t.hxx>
43 #include <officecfg/Office/Common.hxx>
44 #include <systools/win32/comtools.hxx>
45 #include <urlmon.h>
46 #endif
47
48 namespace sfx2
49 {
50
51
52 using ::com::sun::star::uno::Reference;
53 using ::com::sun::star::task::XInteractionHandler;
54 using ::com::sun::star::uno::Any;
55 using ::com::sun::star::uno::Sequence;
56 using ::com::sun::star::task::DocumentMacroConfirmationRequest;
57 using ::com::sun::star::task::ErrorCodeRequest;
58 using ::com::sun::star::uno::Exception;
59 using ::com::sun::star::security::DocumentDigitalSignatures;
60 using ::com::sun::star::security::XDocumentDigitalSignatures;
61 using ::com::sun::star::embed::XStorage;
62 using ::com::sun::star::document::XEmbeddedScripts;
63 using ::com::sun::star::script::XLibraryContainer;
64 using ::com::sun::star::container::XNameAccess;
65 using ::com::sun::star::uno::UNO_QUERY_THROW;
66
67 namespace MacroExecMode = ::com::sun::star::document::MacroExecMode;
68
69
70 //= DocumentMacroMode_Data
71
72 struct DocumentMacroMode_Data
73 {
74 IMacroDocumentAccess& m_rDocumentAccess;
75 bool m_bMacroDisabledMessageShown;
76 bool m_bDocMacroDisabledMessageShown;
77
78 explicit DocumentMacroMode_Data( IMacroDocumentAccess& rDocumentAccess )
79 :m_rDocumentAccess( rDocumentAccess )
80 ,m_bMacroDisabledMessageShown( false )
81 ,m_bDocMacroDisabledMessageShown( false )
82 {
83 }
84 };
85
86
87 //= helper
88
89 namespace
90 {
91
92 void lcl_showGeneralSfxErrorOnce( const Reference< XInteractionHandler >& rxHandler, ErrCode nSfxErrorCode, bool& rbAlreadyShown )
93 {
94 if ( rbAlreadyShown )
95 return;
96
97 ErrorCodeRequest aErrorCodeRequest;
98 aErrorCodeRequest.ErrCode = sal_uInt32(nSfxErrorCode);
99
100 SfxMedium::CallApproveHandler( rxHandler, makeAny( aErrorCodeRequest ), false );
101 rbAlreadyShown = true;
102 }
103
104
105 void lcl_showMacrosDisabledError( const Reference< XInteractionHandler >& rxHandler, bool& rbAlreadyShown )
106 {
107 lcl_showGeneralSfxErrorOnce( rxHandler, ERRCODE_SFX_MACROS_SUPPORT_DISABLED, rbAlreadyShown );
108 }
109
110
111 void lcl_showDocumentMacrosDisabledError( const Reference< XInteractionHandler >& rxHandler, bool& rbAlreadyShown )
112 {
113 #ifdef MACOSX
114 lcl_showGeneralSfxErrorOnce( rxHandler, ERRCODE_SFX_DOCUMENT_MACRO_DISABLED_MAC, rbAlreadyShown );
115 #else
116 lcl_showGeneralSfxErrorOnce( rxHandler, ERRCODE_SFX_DOCUMENT_MACRO_DISABLED, rbAlreadyShown );
117 #endif
118 }
119
120 void lcl_showMacrosDisabledUnsignedContentError( const Reference< XInteractionHandler >& rxHandler, bool& rbAlreadyShown )
121 {
122 lcl_showGeneralSfxErrorOnce( rxHandler, ERRCODE_SFX_DOCUMENT_MACRO_DISABLED_CONTENT_UNSIGNED, rbAlreadyShown );
123 }
124
125 bool lcl_showMacroWarning( const Reference< XInteractionHandler >& rxHandler,
126 const OUString& rDocumentLocation )
127 {
128 DocumentMacroConfirmationRequest aRequest;
129 aRequest.DocumentURL = rDocumentLocation;
130 return SfxMedium::CallApproveHandler( rxHandler, makeAny( aRequest ), true );
131 }
132 }
133
134 //= DocumentMacroMode
135 DocumentMacroMode::DocumentMacroMode( IMacroDocumentAccess& rDocumentAccess )
136 :m_xData( std::make_shared<DocumentMacroMode_Data>( rDocumentAccess ) )
137 {
138 }
139
140 bool DocumentMacroMode::allowMacroExecution()
141 {
142 m_xData->m_rDocumentAccess.setCurrentMacroExecMode( MacroExecMode::ALWAYS_EXECUTE_NO_WARN );
143 return true;
144 }
145
146 bool DocumentMacroMode::disallowMacroExecution()
147 {
148 m_xData->m_rDocumentAccess.setCurrentMacroExecMode( MacroExecMode::NEVER_EXECUTE );
149 return false;
150 }
151
152 bool DocumentMacroMode::adjustMacroMode( const Reference< XInteractionHandler >& rxInteraction, bool bHasValidContentSignature )
153 {
154 if ( SvtSecurityOptions::IsMacroDisabled() )
155 {
156 // no macro should be executed at all
157 lcl_showMacrosDisabledError( rxInteraction, m_xData->m_bMacroDisabledMessageShown );
158 return disallowMacroExecution();
159 }
160
161 // get setting from configuration if required
162 enum AutoConfirmation
163 {
164 eNoAutoConfirm,
165 eAutoConfirmApprove,
166 eAutoConfirmReject
167 };
168 AutoConfirmation eAutoConfirm( eNoAutoConfirm );
169
170 sal_Int16 nMacroExecutionMode = m_xData->m_rDocumentAccess.getCurrentMacroExecMode();
171 if ( ( nMacroExecutionMode == MacroExecMode::USE_CONFIG )
172 || ( nMacroExecutionMode == MacroExecMode::USE_CONFIG_REJECT_CONFIRMATION )
173 || ( nMacroExecutionMode == MacroExecMode::USE_CONFIG_APPROVE_CONFIRMATION )
174 )
175 {
176 // check confirm first, as nMacroExecutionMode is always overwritten by the GetMacroSecurityLevel() switch
177 if (nMacroExecutionMode == MacroExecMode::USE_CONFIG_REJECT_CONFIRMATION)
178 eAutoConfirm = eAutoConfirmReject;
179 else if (nMacroExecutionMode == MacroExecMode::USE_CONFIG_APPROVE_CONFIRMATION)
180 eAutoConfirm = eAutoConfirmApprove;
181
182 switch ( SvtSecurityOptions::GetMacroSecurityLevel() )
183 {
184 case 3: // "Very high"
185 nMacroExecutionMode = MacroExecMode::FROM_LIST_NO_WARN;
186 break;
187 case 2: // "High"
188 nMacroExecutionMode = MacroExecMode::FROM_LIST_AND_SIGNED_WARN;
189 break;
190 case 1: // "Medium"
191 nMacroExecutionMode = MacroExecMode::ALWAYS_EXECUTE;
192 break;
193 case 0: // "Low"
194 nMacroExecutionMode = MacroExecMode::ALWAYS_EXECUTE_NO_WARN;
195 break;
196 default:
197 OSL_FAIL( "DocumentMacroMode::adjustMacroMode: unexpected macro security level!" );
198 nMacroExecutionMode = MacroExecMode::NEVER_EXECUTE;
199 }
200 }
201
202 if ( nMacroExecutionMode == MacroExecMode::NEVER_EXECUTE )
203 return disallowMacroExecution();
204
205 if ( nMacroExecutionMode == MacroExecMode::ALWAYS_EXECUTE_NO_WARN )
206 return allowMacroExecution();
207
208 SignatureState nSignatureState = SignatureState::UNKNOWN;
209 const OUString sURL(m_xData->m_rDocumentAccess.getDocumentLocation());
210 try
211 {
212 // get document location from medium name and check whether it is a trusted one
213 // the service is created without document version, since it is not of interest here
214 Reference< XDocumentDigitalSignatures > xSignatures(DocumentDigitalSignatures::createDefault(::comphelper::getProcessComponentContext()));
215 INetURLObject aURLReferer(sURL);
216
217 OUString aLocation = aURLReferer.GetMainURL( INetURLObject::DecodeMechanism::NONE );
218
219 if ( !aLocation.isEmpty() && xSignatures->isLocationTrusted( aLocation ) )
220 {
221 return allowMacroExecution();
222 }
223
224 // at this point it is clear that the document is not in the secure location
225 if ( nMacroExecutionMode == MacroExecMode::FROM_LIST_NO_WARN )
226 {
227 lcl_showDocumentMacrosDisabledError( rxInteraction, m_xData->m_bDocMacroDisabledMessageShown );
228 return disallowMacroExecution();
229 }
230
231 // check whether the document is signed with trusted certificate
232 if ( nMacroExecutionMode != MacroExecMode::FROM_LIST )
233 {
234 nSignatureState = m_xData->m_rDocumentAccess.getScriptingSignatureState();
235
236 if (!bHasValidContentSignature
237 && (nMacroExecutionMode == MacroExecMode::FROM_LIST_AND_SIGNED_NO_WARN
238 || nMacroExecutionMode == MacroExecMode::FROM_LIST_AND_SIGNED_WARN)
239 && m_xData->m_rDocumentAccess.macroCallsSeenWhileLoading())
240 {
241 // When macros are required to be signed, and the document has events which call
242 // macros, the document content needs to be signed, too. Do it here, and avoid
243 // possible UI asking to always trust certificates, after which the user's choice
244 // to allow macros would be ignored anyway.
245 lcl_showMacrosDisabledUnsignedContentError(rxInteraction, m_xData->m_bDocMacroDisabledMessageShown);
246 return disallowMacroExecution();
247 }
248
249 // At this point, the possible values of nMacroExecutionMode are: ALWAYS_EXECUTE,
250 // FROM_LIST_AND_SIGNED_WARN (the default), FROM_LIST_AND_SIGNED_NO_WARN.
251 // ALWAYS_EXECUTE corresponds to the Medium security level; it should ask for
252 // confirmation when macros are unsigned or untrusted. FROM_LIST_AND_SIGNED_NO_WARN
253 // should not ask any confirmations. FROM_LIST_AND_SIGNED_WARN should only allow
254 // trusted signed macros at this point; so it may only ask for confirmation to add
255 // certificates to trusted, and shouldn't show UI when trusted list is read-only.
256 const bool bAllowUI
257 = nMacroExecutionMode != MacroExecMode::FROM_LIST_AND_SIGNED_NO_WARN
258 && eAutoConfirm == eNoAutoConfirm
259 && (nMacroExecutionMode == MacroExecMode::ALWAYS_EXECUTE
260 || !SvtSecurityOptions::IsReadOnly(
261 SvtSecurityOptions::EOption::MacroTrustedAuthors));
262 const bool bHasTrustedMacroSignature = m_xData->m_rDocumentAccess.hasTrustedScriptingSignature(bAllowUI ? rxInteraction : nullptr);
263
264 if (bHasTrustedMacroSignature)
265 {
266 // there is trusted macro signature, allow macro execution
267 return allowMacroExecution();
268 }
269 else if ( nSignatureState == SignatureState::OK
270 || nSignatureState == SignatureState::NOTVALIDATED )
271 {
272 // there is valid signature, but it is not from the trusted author
273 if (eAutoConfirm == eAutoConfirmApprove
274 && nMacroExecutionMode == MacroExecMode::ALWAYS_EXECUTE)
275 {
276 // For ALWAYS_EXECUTE + eAutoConfirmApprove (USE_CONFIG_APPROVE_CONFIRMATION
277 // in Medium security mode), do not approve it right here; let Security Zone
278 // check below do its job first.
279 }
280 else
281 {
282 // All other cases of valid but untrusted signatures should result in denied
283 // macros here. This includes explicit reject from user in the UI in cases
284 // of FROM_LIST_AND_SIGNED_WARN and ALWAYS_EXECUTE
285 if (!bAllowUI)
286 lcl_showDocumentMacrosDisabledError(rxInteraction, m_xData->m_bDocMacroDisabledMessageShown);
287 return disallowMacroExecution();
288 }
289 }
290 // Other values of nSignatureState would result in either rejected macros
291 // (FROM_LIST_AND_SIGNED_*), or a confirmation.
292 }
293 }
294 catch ( const Exception& )
295 {
296 DBG_UNHANDLED_EXCEPTION("sfx.doc");
297 }
298
299 // at this point it is clear that the document is neither in secure location nor signed with trusted certificate
300 if ((nMacroExecutionMode == MacroExecMode::FROM_LIST_AND_SIGNED_NO_WARN)
301 || (nMacroExecutionMode == MacroExecMode::FROM_LIST_AND_SIGNED_WARN))
302 {
303 if (nMacroExecutionMode == MacroExecMode::FROM_LIST_AND_SIGNED_WARN)
304 lcl_showDocumentMacrosDisabledError(rxInteraction, m_xData->m_bDocMacroDisabledMessageShown);
305
306 return disallowMacroExecution();
307 }
308
309 #if defined(_WIN32)
310 // Windows specific: try to decide macros loading depending on Windows Security Zones
311 // (is the file local, or it was downloaded from internet, etc?)
312 OUString sFilePath;
313 osl::FileBase::getSystemPathFromFileURL(sURL, sFilePath);
314 sal::systools::COMReference<IZoneIdentifier> pZoneId;
315 pZoneId.CoCreateInstance(CLSID_PersistentZoneIdentifier);
316 sal::systools::COMReference<IPersistFile> pPersist(pZoneId, sal::systools::COM_QUERY);
317 DWORD dwZone;
318 if (!pPersist || !SUCCEEDED(pPersist->Load(o3tl::toW(sFilePath.getStr()), STGM_READ)) ||
319 !SUCCEEDED(pZoneId->GetId(&dwZone)))
320 {
321 // no Security Zone info found -> assume a local file, not
322 // from the internet
323 dwZone = URLZONE_LOCAL_MACHINE;
324 }
325
326 // determine action from zone and settings
327 sal_Int32 nAction;
328 switch (dwZone) {
329 case URLZONE_LOCAL_MACHINE:
330 nAction = officecfg::Office::Common::Security::Scripting::WindowsSecurityZone::ZoneLocal::get();
331 break;
332 case URLZONE_INTRANET:
333 nAction = officecfg::Office::Common::Security::Scripting::WindowsSecurityZone::ZoneIntranet::get();
334 break;
335 case URLZONE_TRUSTED:
336 nAction = officecfg::Office::Common::Security::Scripting::WindowsSecurityZone::ZoneTrusted::get();
337 break;
338 case URLZONE_INTERNET:
339 nAction = officecfg::Office::Common::Security::Scripting::WindowsSecurityZone::ZoneInternet::get();
340 break;
341 case URLZONE_UNTRUSTED:
342 nAction = officecfg::Office::Common::Security::Scripting::WindowsSecurityZone::ZoneUntrusted::get();
343 break;
344 default:
345 // unknown zone, let's ask the user
346 nAction = 0;
347 break;
348 }
349
350 // act on result
351 switch (nAction)
352 {
353 case 0: // Ask
354 break;
355 case 1: // Allow
356 if (nSignatureState != SignatureState::BROKEN
357 && nSignatureState != SignatureState::INVALID)
358 return allowMacroExecution();
359 break;
360 case 2: // Deny
361 return disallowMacroExecution();
362 }
363 #endif
364 // confirmation is required
365 bool bSecure = false;
366
367 if ( eAutoConfirm == eNoAutoConfirm )
368 {
369 OUString sReferrer(sURL);
370 osl::FileBase::getSystemPathFromFileURL(sReferrer, sReferrer);
371
372 bSecure = lcl_showMacroWarning( rxInteraction, sReferrer );
373 }
374 else
375 bSecure = ( eAutoConfirm == eAutoConfirmApprove );
376
377 return ( bSecure ? allowMacroExecution() : disallowMacroExecution() );
378 }
379
380
381 bool DocumentMacroMode::isMacroExecutionDisallowed() const
382 {
383 return m_xData->m_rDocumentAccess.getCurrentMacroExecMode() == MacroExecMode::NEVER_EXECUTE;
384 }
385
386
387 bool DocumentMacroMode::containerHasBasicMacros( const Reference< XLibraryContainer >& xContainer )
388 {
389 bool bHasMacroLib = false;
390 try
391 {
392 if ( xContainer.is() )
393 {
394 // a library container exists; check if it's empty
395
396 // if there are libraries except the "Standard" library
397 // we assume that they are not empty (because they have been created by the user)
398 if ( !xContainer->hasElements() )
399 bHasMacroLib = false;
400 else
401 {
402 static const OUStringLiteral aStdLibName( u"Standard" );
403 static const OUStringLiteral aVBAProject( u"VBAProject" );
404 const Sequence< OUString > aElements = xContainer->getElementNames();
405 for( const OUString& aElement : aElements )
406 {
407 if( aElement == aStdLibName || aElement == aVBAProject )
408 {
409 Reference < XNameAccess > xLib;
410 Any aAny = xContainer->getByName( aElement );
411 aAny >>= xLib;
412 if ( xLib.is() && xLib->hasElements() )
413 return true;
414 }
415 else
416 return true;
417 }
418 }
419 }
420 }
421 catch( const Exception& )
422 {
423 DBG_UNHANDLED_EXCEPTION("sfx.doc");
424 }
425 return bHasMacroLib;
426 }
427
428
429 bool DocumentMacroMode::hasMacroLibrary() const
430 {
431 bool bHasMacroLib = false;
432 #if HAVE_FEATURE_SCRIPTING
433 try
434 {
435 Reference< XEmbeddedScripts > xScripts( m_xData->m_rDocumentAccess.getEmbeddedDocumentScripts() );
436 Reference< XLibraryContainer > xContainer;
437 if ( xScripts.is() )
438 xContainer.set( xScripts->getBasicLibraries(), UNO_QUERY_THROW );
439 bHasMacroLib = containerHasBasicMacros( xContainer );
440
441 }
442 catch( const Exception& )
443 {
444 DBG_UNHANDLED_EXCEPTION("sfx.doc");
445 }
446 #endif
447 return bHasMacroLib;
448 }
449
450
451 bool DocumentMacroMode::storageHasMacros( const Reference< XStorage >& rxStorage )
452 {
453 bool bHasMacros = false;
454 if ( rxStorage.is() )
455 {
456 try
457 {
458 static constexpr OUStringLiteral s_sBasicStorageName( u"Basic" );
459 static constexpr OUStringLiteral s_sScriptsStorageName( u"Scripts" );
460
461 bHasMacros =( ( rxStorage->hasByName( s_sBasicStorageName )
462 && rxStorage->isStorageElement( s_sBasicStorageName )
463 )
464 || ( rxStorage->hasByName( s_sScriptsStorageName )
465 && rxStorage->isStorageElement( s_sScriptsStorageName )
466 )
467 );
468 }
469 catch ( const Exception& )
470 {
471 DBG_UNHANDLED_EXCEPTION("sfx.doc");
472 }
473 }
474 return bHasMacros;
475 }
476
477 bool DocumentMacroMode::hasMacros() const
478 {
479 return m_xData->m_rDocumentAccess.documentStorageHasMacros() || hasMacroLibrary() || m_xData->m_rDocumentAccess.macroCallsSeenWhileLoading();
480 }
481
482 bool DocumentMacroMode::checkMacrosOnLoading( const Reference< XInteractionHandler >& rxInteraction, bool bHasValidContentSignature, bool bHasMacros )
483 {
484 bool bAllow = false;
485 if ( SvtSecurityOptions::IsMacroDisabled() )
486 {
487 // no macro should be executed at all
488 bAllow = disallowMacroExecution();
489 }
490 else
491 {
492 if (bHasMacros)
493 {
494 bAllow = adjustMacroMode( rxInteraction, bHasValidContentSignature );
495 }
496 else if ( !isMacroExecutionDisallowed() )
497 {
498 // if macros will be added by the user later, the security check is obsolete
499 bAllow = allowMacroExecution();
500 }
501 }
502 return bAllow;
503 }
504
505
506 } // namespace sfx2
507
508
509 /* vim:set shiftwidth=4 softtabstop=4 expandtab: */
FREE OFFICE SUITE