From 73e751fc67ea5ae52d15bea1645241ef624188a4 Mon Sep 17 00:00:00 2001 From: Mike Kaganski Date: Thu, 9 Nov 2023 16:12:45 +0300 Subject: [PATCH] Fix USE_CONFIG_APPROVE_CONFIRMATION and USE_CONFIG_REJECT_CONFIRMATION They still showed UI in case of signed macros. Two decisions were made, to improve security of USE_CONFIG_APPROVE_CONFIRMATION: 1. In case of High macro security mode, valid but untrusted certificate will be automatically rejected (because it is not safe to automatically add trusted certificates) - so in this mode, USE_CONFIG_APPROVE_CONFIRMATION is the same as USE_CONFIG_REJECT_CONFIRMATION; 2. In case of Medium macro security mode, valid but untrusted certificate will not automatically allow macros execution, but will proceed to the following checks - which on Windows will try to check the source's Security Zone, and may disallow macros based on that. Only after Security Zone check the macros will be automatically allowed. Change-Id: I1a9c92c6b940b689599c5d106798ecfc691dad46 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159214 Tested-by: Jenkins Reviewed-by: Mike Kaganski Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159278 Reviewed-by: Miklos Vajna --- sfx2/source/doc/docmacromode.cxx | 30 ++++++++++++++++++++++-------- 1 file changed, 22 insertions(+), 8 deletions(-) diff --git a/sfx2/source/doc/docmacromode.cxx b/sfx2/source/doc/docmacromode.cxx index 3d4198662379..02f568ac6027 100644 --- a/sfx2/source/doc/docmacromode.cxx +++ b/sfx2/source/doc/docmacromode.cxx @@ -253,9 +253,12 @@ namespace sfx2 // should not ask any confirmations. FROM_LIST_AND_SIGNED_WARN should only allow // trusted signed macros at this point; so it may only ask for confirmation to add // certificates to trusted, and shouldn't show UI when trusted list is read-only. - const bool bAllowUI = nMacroExecutionMode != MacroExecMode::FROM_LIST_AND_SIGNED_NO_WARN - && (nMacroExecutionMode == MacroExecMode::ALWAYS_EXECUTE - || !SvtSecurityOptions::IsReadOnly(SvtSecurityOptions::EOption::MacroTrustedAuthors)); + const bool bAllowUI + = nMacroExecutionMode != MacroExecMode::FROM_LIST_AND_SIGNED_NO_WARN + && eAutoConfirm == eNoAutoConfirm + && (nMacroExecutionMode == MacroExecMode::ALWAYS_EXECUTE + || !SvtSecurityOptions::IsReadOnly( + SvtSecurityOptions::EOption::MacroTrustedAuthors)); const bool bHasTrustedMacroSignature = m_xData->m_rDocumentAccess.hasTrustedScriptingSignature(bAllowUI ? rxInteraction : nullptr); if (bHasTrustedMacroSignature) @@ -267,11 +270,22 @@ namespace sfx2 || nSignatureState == SignatureState::NOTVALIDATED ) { // there is valid signature, but it is not from the trusted author - // this case includes explicit reject from user in the UI in cases of - // FROM_LIST_AND_SIGNED_WARN and ALWAYS_EXECUTE - if (!bAllowUI) - lcl_showDocumentMacrosDisabledError(rxInteraction, m_xData->m_bDocMacroDisabledMessageShown); - return disallowMacroExecution(); + if (eAutoConfirm == eAutoConfirmApprove + && nMacroExecutionMode == MacroExecMode::ALWAYS_EXECUTE) + { + // For ALWAYS_EXECUTE + eAutoConfirmApprove (USE_CONFIG_APPROVE_CONFIRMATION + // in Medium security mode), do not approve it right here; let Security Zone + // check below do its job first. + } + else + { + // All other cases of valid but untrusted signatures should result in denied + // macros here. This includes explicit reject from user in the UI in cases + // of FROM_LIST_AND_SIGNED_WARN and ALWAYS_EXECUTE + if (!bAllowUI) + lcl_showDocumentMacrosDisabledError(rxInteraction, m_xData->m_bDocMacroDisabledMessageShown); + return disallowMacroExecution(); + } } // Other values of nSignatureState would result in either rejected macros // (FROM_LIST_AND_SIGNED_*), or a confirmation. -- 2.11.4.GIT