Old/Obsolete file format import still needed?
dtardon at redhat.com
Thu Feb 11 06:34:03 UTC 2016
On Wed, Feb 10, 2016 at 02:20:50PM -0500, Bryan Quigley wrote:
> > Anyhow - I share your concern wrt. the attack surface that all these
> > old file filters provide for us; I attach a prototype patch that adds an
> > 'EXOTIC' annotation to our filter descriptions. It is missing a UI
> > Interaction Handler piece (cf. the hole with the notes and so on in
> > there ;-) - we'll need a new request type I guess.
> > My ideal would be to pop up a dialog saying:
> > "You're asking LibreOffice to open a very unusual file-type.
> > Unless you are certain that this file is indeed a <Lotus
> > Word Pro> file it is safest to not open it.
> > [ ] - never show this again
> > [ this is an unusual file ] [get me out of here ]"
> > Of some kind =) is that something you'd be interested in working on ?
> Thanks for the first pass code. I generally don't find dialouges like
> that to be super useful (many users just click right through).
> However, in labeling them Exotic we could add a configuration option
> to let system administrators disable them all in one go for a secure
> site, etc. I'll look into that more.
This of course makes the assumption that filters for common formats
(like .doc etc.) do not contain vulnerabilities, which is IMHO just
wishful thinking. IIRC there was exactly 1 CVE for import of non-MS file
format during the ~8 years I have been working on this code base. And I
think the likelihood to encounter a malformed (or even malicious) MS
Word document is far greater than, e.g., Hangul Word or AppleWorks
document. So the "secure site" aspect seems rather dubious to me.
Not to mention that users/admins in different countries (or even in
different professions) may have different ideas about which formats
should be considered "exotic".
More information about the LibreOffice