From 1dec4285bd4c59c23a6a9a56cee9a66ebe0ba6c3 Mon Sep 17 00:00:00 2001 Message-ID: <1dec4285bd4c59c23a6a9a56cee9a66ebe0ba6c3.1723721182.git.erack@redhat.com> From: Sarper Akdemir Date: Tue, 11 Jun 2024 12:39:36 +0200 Subject: [PATCH] remove ability to trust not validated macro signatures in high security MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="------------erAck-patch-parts" This is a multi-part message in MIME format. --------------erAck-patch-parts Content-Type: text/plain; charset=UTF-8; format=fixed Content-Transfer-Encoding: 8bit Giving the user the option to determine if they should trust an invalid signature in HIGH macro security doesn't make sense. CommonName of the signature is the most prominent feature presented and the CommonName of a certificate can be easily forged for an invalid signature, tricking the user into accepting an invalid signature. in the HIGH macro security setting only show the pop-up to enable/disable signed macro if the certificate signature can be validated. cherry-picked without UI/String altering bits for 24-2 Change-Id: Ia766fb701660160ee5dc9f6e077f4012a44ce721 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/168667 Tested-by: Jenkins Reviewed-by: Sarper Akdemir (cherry picked from commit 2beaa3be3829303e948d401f492dbfd239d60aad) Reviewed-on: https://gerrit.libreoffice.org/c/core/+/169525 Reviewed-by: Thorsten Behrens Reviewed-on: https://gerrit.libreoffice.org/c/core/+/171306 Reviewed-by: Caolán McNamara Tested-by: Caolán McNamara Reviewed-on: https://gerrit.libreoffice.org/c/core/+/171314 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/171315 --- sfx2/source/doc/docmacromode.cxx | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) --------------erAck-patch-parts Content-Type: text/x-patch; name="0001-remove-ability-to-trust-not-validated-macro-signatur.patch" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="0001-remove-ability-to-trust-not-validated-macro-signatur.patch" diff --git a/sfx2/source/doc/docmacromode.cxx b/sfx2/source/doc/docmacromode.cxx index 919033cbaf5d..33d546f2920a 100644 --- a/sfx2/source/doc/docmacromode.cxx +++ b/sfx2/source/doc/docmacromode.cxx @@ -228,14 +228,18 @@ namespace sfx2 // check whether the document is signed with trusted certificate if ( nMacroExecutionMode != MacroExecMode::FROM_LIST ) { + SignatureState nSignatureState = m_xData->m_rDocumentAccess.getScriptingSignatureState(); + // the trusted macro check will also retrieve the signature state ( small optimization ) const SvtSecurityOptions aSecOption; const bool bAllowUIToAddAuthor = nMacroExecutionMode != MacroExecMode::FROM_LIST_AND_SIGNED_NO_WARN && (nMacroExecutionMode == MacroExecMode::ALWAYS_EXECUTE - || !aSecOption.IsReadOnly(SvtSecurityOptions::EOption::MacroTrustedAuthors)); + || !aSecOption.IsReadOnly(SvtSecurityOptions::EOption::MacroTrustedAuthors)) + && (nMacroExecutionMode != MacroExecMode::FROM_LIST_AND_SIGNED_WARN + || nSignatureState == SignatureState::OK); + const bool bHasTrustedMacroSignature = m_xData->m_rDocumentAccess.hasTrustedScriptingSignature(bAllowUIToAddAuthor); - SignatureState nSignatureState = m_xData->m_rDocumentAccess.getScriptingSignatureState(); if ( nSignatureState == SignatureState::BROKEN ) { if (!bAllowUIToAddAuthor) --------------erAck-patch-parts--