[Libreoffice-bugs] [Bug 119507] New: macro signature's should not be removed as long as macro source code has not changed

bugzilla-daemon at bugs.documentfoundation.org bugzilla-daemon at bugs.documentfoundation.org
Sun Aug 26 13:40:11 UTC 2018 

https://bugs.documentfoundation.org/show_bug.cgi?id=119507

            Bug ID: 119507
           Summary: macro signature's should not be removed as long as
                    macro source code has not changed
           Product: LibreOffice
           Version: Inherited From OOo
          Hardware: All
                OS: All
            Status: UNCONFIRMED
          Severity: normal
          Priority: medium
         Component: BASIC
          Assignee: libreoffice-bugs at lists.freedesktop.org
          Reporter: oliver.brinzing at gmx.de

Created attachment 144453
  --> https://bugs.documentfoundation.org/attachment.cgi?id=144453&action=edit
macro signed template

imagine an enterprise environment, where users should work with 
templates (containing macros) and macro security level is set to "High":

steps to reproduce:

- set Macro Security to "High":
  Menu "Tools/Options.../LibreOffice/Security/[Macro Security...]"
- open attached template:
  Menu "File/Templates/Open Template ..."
- check "[x] Always trust macros from this source" and [Enable Macros]

  btw: is there an option to prevent users trusting a signed macro?
       imho it would make sence to have an option to allow only macro's
       signed with preinstalled/validated certificates.

- verify signatures: 
  document (banner below toolbar) and 
  macro (Menu "Tools/Macros/Digital Signature..."
- close template

- open a document from template:
  Menu "File/Open.../macro_signed_template.ott"
- document and macro signature's have been removed.
- but [Run Macro] will still work!
- save "Untitled 1" as "test.odt" and close
- open "test.odt"
- macros execution is disabled now

"repair" test.odt:
- copy "META-INF/macrosignatures.xml" from "macro_signed_template.ott"
  to test.odt's "META-INF" folder.
- open "test.odt"
- [Run Macro] will work again

conclusion:
macro signature's should not be removed as long as macro source code 
has not changed.

problem:
- open "test.odt"
- Menu "File/Tools/Macros/Edit Macro"
- edit macro (for example change msgbox text) *without* saving the document
- [Run Macro] will work!
- save and close
- open "test.odt"
- macro will not work

conclusion:
macro execution should be disabled as soon as macro source code has changed.
user should be warned editing signed macro code.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/libreoffice-bugs/attachments/20180826/f639a491/attachment-0001.html>

More information about the Libreoffice-bugs mailing list