Skip to content

start:

Security Enhancements in StarOffice 6.0 / OpenOffice.org according to IssueZilla Bug #1120

Problem to Solve

    Macros in all documents, executed via file:// url; will be executed without warning.


    Solution

    A solution to solve this problem is to give users the possibility to set all macro related security settings in Tools-Option-Security tab.

    The following steps should solve the problem.


    Path Settings

    The path list (Tools-Options-Security) contains all trusted path given by users. The default
    'file://' entry in the path list should be replace by more precise paths listed below:


  • $instURL

  • $userURL

  • $workDIR


All path has to point to standard folders. Changing the old file URL to the three new once provides more security due to the fact that users do not have the possibility to run macros from directories like Temp for example.


    Run Macro Settings

    The three radio buttons (From list, Never execute, Always execute) located on the Tools-Options-Security page will be replace by a dropdown list box (labeled Run macros) which contains the three options

    Old Term

    New Term

    From list

    According to path list

    Never execute

    Never

    Always execute

    Always




    The options will be renamed as listed below:
    In addition beneath to the Run macros dropdown list box are located two check boxes. The first one is labeled Confirm in the case of other document sources the other is labeled Show warning before running macros. The Show warning before running feature is the renamed and removed feature of Tools-Configure-Events / Security settings (Figure 1 & 2)

    The Confirm in the case of other document sources option will be enabled if users chose the According to path list option in the dropdown list, otherwise the Confirm ..... item remains disabled (grayed out).

    The Show warning before running macros option will be disabled if the option Never was chosen in the Run Macros dropdown list box. The states are illustrated in Figure 3,4,5 & 6.

    Warning Message

    The warning message which appears, if a macro will be run from a location which is not trusted, should be expanded by a more detailed information. The renewed warning dialogue needs much space for text than the old one.


    Current Text
    An event to which a macro is configured has been started. Do you want to execute the macro?

    CheckBox Do not warn again for this document.
    OKButton Run
    CancelButton Don't run


    New Text (macro title is an example):
    An event to which a macro, called "soffice.Gimmicks..GetTexts. GetCalcGraphicNames", is configured has been started. Do you want to run the macro?

    CheckBox Do not warn again for this document    .
    OKButton Run
    CancelButton Don't run


    Illustrations


Illustration 1 current Configuration/Events tab











Illustration 2 Configuration/Events dialogue after removing the "Show warning" option.





Illustration 3 Renewed Tool Options Security dialogue





Illustration 4 The security dialogue with "Run macro Never" option







Illustration 5 The security dialogue with "Run macro Alway" option





Illustration 6 German Version of the new features