security warning now additionally on *calling* scripts/macros

Caolán McNamara caolanm at redhat.com
Wed Sep 4 19:48:45 UTC 2019


Documents that contain macros trigger LibreOffice to present the
warning dialog that the document contains macros, and by default then
not allow the document to execute macros.

But documents that don't contain macros, but *call* scripts/macros
shipped with LibreOffice were explicitly put outside of that control

We then have a bunch of different ways to link various document events
like mouse-over or document-load or validate-cell-data to execution of
scripts.

We've had a series of problems where either:
 * A script shipped with LibreOffice should not have been trusted to be
called by document event callbacks
 * Or the document smuggles a script location url past restriction
checks and manages to execute a script on the target file system that
it shouldn't be allowed to access

And then a number of iterations of discovery of new ways to get past
added checks.

So recently I've made an effort to demote these "shared" built-in
scripts from their privileged position and to consider the presence of
a call to a script-like thing as equally hazardous as containing macros
to get that warning dialog for these cases. This has been backported to
6.2.7 and 6.3.1.

some more details are available in the commit 
https://cgit.freedesktop.org/libreoffice/core/commit/?h=libreoffice-6-2&id=35fe064a67b54b0680b4845477c9b8751edda160
which maintainers of LTS might find worthwhile backporting to their own
branches as an additional backstop.



More information about the LibreOffice mailing list