Download it now!
Bug 115166 - "Block links from locations not trusted" should block the loading of external images in any HTML element
Summary: "Block links from locations not trusted" should block the loading of external...
Status: NEW
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: LibreOffice (show other bugs)
Version:
(earliest affected)
5.3.7.2 release
Hardware: All All
: medium enhancement
Assignee: Not Assigned
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: HTML-Import
  Show dependency treegraph
 
Reported: 2018-01-23 10:07 UTC by Olivier
Modified: 2018-07-10 19:40 UTC (History)
5 users (show)

See Also:
Crash report or crash signature:


Attachments
The HTML file that causes the problems (31.53 KB, text/html)
2018-01-23 10:09 UTC, Olivier
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Olivier 2018-01-23 10:07:52 UTC
Description:
I enabled "Ctrl-click required to follow the links" and "Block links from locations not trusted". I choose the "very high" macro security and the list of trusted sources is empty.

But when I try to load the attached HTML document (see https://pastebin.com/Qn91Yi7Q), LO still try to open the connection located at the line 676.

The machine where I conduct the test cannot open external connections.

I don't know if the other external links in that file are being loaded or not.

Steps to Reproduce:
1. Launch LO with stealth mode
2. Load the file
3.

Actual Results:  
1. LO is waiting an infinite long time (over ten minutes)

2. "netstat -a" shows a SYN_SENT to 173.247.251.214:80
   tcp4  0  0 192.41.170.16.41790  173.247.251.214.80 SYN_SENT

3. lsof(8) confirms that connection orginates from LO

4. The TCP handshake cannot be completed due to the restrictions in the firewall, LO waits indefinitely.

Expected Results:
LO should be displaying the file, maybe asking me if I want to follow the links


Reproducible: Always


User Profile Reset: Yes



Additional Info:
Version: 5.3.7.2.0+
Build ID: FreeBSD ports 5.3.7_2
CPU Threads: 2; OS Version: FreeBSD 11.1; UI Render: default; Layout Engine: new; 
Locale: en-US (C); Calc: group

$ uname -a
FreeBSD mail.cs.ait.ac.th 11.1-RELEASE-p6 FreeBSD 11.1-RELEASE-p6 #11 r326754: Tue Dec 12 11:41:24 +07 2017     root@mail.cs.ait.ac.th:/usr/obj/usr/src/sys/CSIM  amd64



User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2600.0 Iron Safari/537.36
Comment 1 Olivier 2018-01-23 10:09:11 UTC
Created attachment 139291 [details]
The HTML file that causes the problems
Comment 2 Olivier 2018-01-23 10:11:40 UTC
It seems LO continues trying to send new connection when the first SYN expires: after a wile I have a different netstat result (different port):

tcp4       0      0 192.41.170.16.55379    173.247.251.214.80     SYN_SENT
Comment 3 Buovjaga 2018-02-17 15:50:34 UTC
The line you refer to is an input field of the type image:
<td align="right"><a href="javascript:GoTofff();"><INPUT onclick="return GoTofff()" border="0" src="http://icacci-conference.org/site/sites/default/files/submit_icon.gif" type="image" Value="submit"></a></td><td width="1"></td>

https://developer.mozilla.org/en-US/docs/Web/HTML/Element/input/image

So you are proposing Tools - Options - LibreOffice - Security - Security options and warnings - "Block links from locations not trusted" should disable loading of external images. It's a valid request, similarly to what email clients do by default (such as Thunderbird).

I confirm I see the "Submit" image when I load the file with the high security settings.

Arch Linux 64-bit
Version: 6.1.0.0.alpha0+
Build ID: 26783527823883ccd5bbf3b9e014a0a3c1e3a022
CPU threads: 8; OS: Linux 4.15; UI render: default; VCL: kde4; 
Locale: fi-FI (fi_FI.UTF-8); Calc: group
Built on February 16th 2018
Comment 4 Buovjaga 2018-07-06 19:32:36 UTC
Caolán: I was discussing this on IRC with another person and he noted your commit [0] concerns links inside externally loaded documents instead of any & all links. This person, too, thought the option would block any untrusted links.

How do you feel this request should be dealt with? Should the option be repurposed to this very greedy mode people are expecting?

[0] https://cgit.freedesktop.org/libreoffice/core/commit/?id=0b7f4a4f57117fde33d0b1df96134aa6ccce023e