Description: Short version: Correct the macro security level description of the High level. Current text: > Only signed macros from trusted sources are allowed to run. > Unsigned macros are disabled. Proposal: > Only macros from trusted sources and signed macros (from any source) are allowed to run. > Macros that are neither from a trusted source nor signed are disabled. (Please check the correctness.) -------- Long version: The macro security level settings of Libre Office provide the following options: > _Low (not recommended). > All macros will be executed without confirmation. > Use this setting only if you are certain that all documents that will be opened are safe. > > _Medium. > Confirmation required before executing macros from untrusted sources. > > H_igh. > Only signed macros from trusted sources are allowed to run. > Unsigned macros are disabled. > > _Very high. > Only macros from trusted file locations are allowed to run. > All other macros, regardless whether signed or not, are disabled. (cf. Tools/Options…/LibreOffice/Security/Macro Security…/Security Level; text copied from xmlsecurity/uiconfig/ui/securitylevelpage.ui commit 67950f00989dff4640ba83e540673375a2c60a13) The descriptions of some settings appear to be contradictory: - The formulation of the High setting suggests that macros need to be signed _and_ from a trusted source. Especially the second sentence “Unsigned macros are disabled” strengthens the need of a signature. - Also the text for Very high setting demands that macros come from a trusted source, however, signing is not mentioned. Looking at the help (https://help.libreoffice.org/6.2/en-US/text/shared/optionen/macrosecurity_sl.html), it seems to be the case that the High setting actually accepts macros that are signed _or_ come from a trusted source. There we find the following description: > Only signed macros from a trusted source are allowed to run. In addition, any macro from a trusted file location is allowed to run. (In my opinion, it is not good style to give a statement in a first sentence but then alter the meaning of the statement in a second sentence, but that is another issue.) I propose to change the description of the High setting to: > Only macros from trusted sources and signed macros (from any source) are allowed to run. > Macros that are neither from a trusted source nor signed are disabled. Note that I am only guessing here. I strongly suggest to accurately recheck if the descriptions of each security level matches the actual effect of that setting. Translations for localization maybe have to be adapted as well. Steps to Reproduce: Read the settings at Tools/Options…/LibreOffice/Security/Macro Security…/Security Level. Actual Results: The descriptions of the macro security levels seem contradictory. Expected Results: The descriptions shall be accurate. Reproducible: Always User Profile Reset: No Additional Info:
> Only signed macros from trusted sources are allowed to run. > Unsigned macros are disabled. i agree, this is misleading. according to help: https://help.libreoffice.org/6.2/en-US/text/shared/optionen/macrosecurity_sl.html "trusted sources" refers to "Trusted Sources tab page"
Dear Toni Dietze, To make sure we're focusing on the bugs that affect our users today, LibreOffice QA is asking bug reporters and confirmers to retest open, confirmed bugs which have not been touched for over a year. There have been thousands of bug fixes and commits since anyone checked on this bug report. During that time, it's possible that the bug has been fixed, or the details of the problem have changed. We'd really appreciate your help in getting confirmation that the bug is still present. If you have time, please do the following: Test to see if the bug is still present with the latest version of LibreOffice from https://www.libreoffice.org/download/ If the bug is present, please leave a comment that includes the information from Help - About LibreOffice. If the bug is NOT present, please set the bug's Status field to RESOLVED-WORKSFORME and leave a comment that includes the information from Help - About LibreOffice. Please DO NOT Update the version field Reply via email (please reply directly on the bug tracker) Set the bug's Status field to RESOLVED - FIXED (this status has a particular meaning that is not appropriate in this case) If you want to do more to help you can test to see if your issue is a REGRESSION. To do so: 1. Download and install oldest version of LibreOffice (usually 3.3 unless your bug pertains to a feature added after 3.3) from https://downloadarchive.documentfoundation.org/libreoffice/old/ 2. Test your bug 3. Leave a comment with your results. 4a. If the bug was present with 3.3 - set version to 'inherited from OOo'; 4b. If the bug was not present in 3.3 - add 'regression' to keyword Feel free to come ask questions or to say hello in our QA chat: https://kiwiirc.com/nextclient/irc.freenode.net/#libreoffice-qa Thank you for helping us make LibreOffice even better for everyone! Warm Regards, QA Team MassPing-UntouchedBug
The issue is still present on current master: https://git.libreoffice.org/core/+/567b4281b96f56ce48d3feb57522255b06816f9b/xmlsecurity/uiconfig/ui/securitylevelpage.ui I also checked that it is still present in the packaged version on Arch Linux: Version: 7.3.6.2 / LibreOffice Community Build ID: 30(Build:2) CPU threads: 8; OS: Linux 5.19; UI render: default; VCL: kf5 (cairo+xcb) Locale: de-DE (de_DE.UTF-8); UI: en-US 7.3.6-2 Calc: threaded
Bogdan B committed a patch related to this issue. It has been pushed to "master": https://git.libreoffice.org/help/commit/4f1d8245e409f5df7ca88c83a573cb07f181d0a5 tdf#126574 Macro security high level description