Download it now!
Bug 128006 - Macro warning dialog is prompted on every function or sub call (see comment 4)
Summary: Macro warning dialog is prompted on every function or sub call (see comment 4)
Status: RESOLVED FIXED
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: BASIC (show other bugs)
Version:
(earliest affected)
6.4.0.0.alpha0+
Hardware: All All
: medium normal
Assignee: Not Assigned
URL:
Whiteboard: target:7.1.0 target:7.0.0.1 target:6.4.6
Keywords: bibisected, bisected, regression
: 133814 (view as bug list)
Depends on:
Blocks:
 
Reported: 2019-10-07 21:50 UTC by Alessandro Tassi
Modified: 2020-07-01 09:28 UTC (History)
6 users (show)

See Also:
Crash report or crash signature:


Attachments
File with one form "Autores" that call to another form "Biblioteca" (20.48 KB, application/vnd.oasis.opendocument.database)
2019-10-18 12:38 UTC, Pedro
Details
odb file (1.53 MB, application/vnd.oasis.opendocument.database)
2020-02-05 06:57 UTC, Alessandro Tassi
Details
fake source ods file (9.83 KB, application/vnd.oasis.opendocument.spreadsheet)
2020-02-05 06:59 UTC, Alessandro Tassi
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Alessandro Tassi 2019-10-07 21:50:36 UTC
Hallo,
in 6.3 version every time is called the same macro script the same warning dialog appears asking permission to execute it.
It's very annoying to confirm it every time is activated for example a form control linked to the same basic macro in the same file.
I have found the same problem with 6.3.0-1 6.3.1-1 and 6.3.2-1 x86_64 arch linux packages opening the same base file (actually a managing software in basic), still working good with 6.2.5-1 version.
I beg you to fix, thanks a lot.
ale
Comment 1 Oliver Brinzing 2019-10-08 17:22:08 UTC
Thank you for reporting the bug. 

To be certain the reported issue is not
related to corruption in the user profile, could you please reset your
Libreoffice profile ( https://wiki.documentfoundation.org/UserProfile ) and
re-test?

If the problem still exists, please attach a sample document, as this makes it easier for us to verify the bug. 
(Please note that the attachment will be public, remove any sensitive information before attaching it. 
See https://wiki.documentfoundation.org/QA/FAQ#How_can_I_eliminate_confidential_data_from_a_sample_document.3F for help on how to do so.)

I have set the bug's status to 'NEEDINFO'. Please change it back to
'UNCONFIRMED' if the issue is still present
Comment 2 Pedro 2019-10-18 12:38:26 UTC
Created attachment 155119 [details]
File with one form "Autores" that call to another form "Biblioteca"
Comment 3 Pedro 2019-10-18 12:46:51 UTC
I have the same problem. When trying to open a form from a button with a macro from another form there is a warning message on the existing macro. This started to appear when I moved to LO 6.2.7.1 and it exists too in 6.3.2.1. My previous version 6.0 work fine and the security level was set to high. Now I have to set it to medium and to click on allow macros in order to use the database. I have reset the user profile with no changes in the behavior. It is quite annoying having to click on tis warning message every time I open a form.
I attach a file so that you can see the problem.
Thanks and best regards
Pedro
Comment 4 Oliver Brinzing 2019-10-19 08:22:07 UTC
i tried:
- open Biblioteca.odb - the *.odb file itself does not contain macros.
- select Forms -> Autores
- select button [Biblioteca]

but get an error:
A Scripting Framework error occurred while running the Basic script vnd.sun.star.script:Standard.Module1.openFormByTag?language=Basic&location=application.
Message: The following Basic script could not be found:
library: 'Standard'
module: 'Module1'
method: 'openFormByTag'
location: 'application'

to make it work, you need also a macro in My Macros/Standard/Module1, e.g.:

REM  *****  BASIC  *****
Sub openFormByTag(oEvt)
  MsgBox "Hello World"
End Sub

now i can confirm, with:

Version: 6.3.2.2 (x64)
Build-ID: 98b30e735bda24bc04ab42594c85f7fd8be07b9c
CPU-Threads: 4; BS: Windows 10.0; UI-Render: Standard; VCL: win; 
Gebietsschema: de-DE (de_DE); UI-Sprache: de-DE
Calc: 

and Security Level:

- Very High/High
  warning: "This document contains macros. Macros may contain viruses. 
  Execution of macros is disabled due to the current macro security setting"
  -> but macro will be excuted, cause it is located in trusted zone "My Macros"

- Medium
  warning, with an option to activate macros
  -> macro will be executed, does not matter if one disables macros in dialog,
     cause it is located in trusted zone "My Macros"

- Low
  no warning
  -> macro will be executed

*not* reproducible (no warnings) with:

Version: 6.1.6.3 (x64)
Build-ID: 5896ab1714085361c45cf540f76f60673dd96a72
CPU-Threads: 4; BS: Windows 10.0; UI-Render: Standard; 
Gebietsschema: de-DE (de_DE); Calc: 


btw: another problem with base and Macro Security Level:
Bug 97694 - Base macros cannot be digitally signed
Comment 5 Pedro 2019-10-19 10:27:54 UTC
Hello.
I wonder if there is a way to declare My Macros as a trusted zone or it comes declared by default.
I declared the directories where I save the databases as trusted origin but it does not seem to work; the warning message on macros and viruses keeps showing. In the other hand, I cannot set up My Macros there (I do not know the route)
Pedro
Comment 6 Oliver Brinzing 2019-10-19 12:34:30 UTC
(In reply to Pedro from comment #5)

> I wonder if there is a way to declare My Macros as a trusted zone or it
> comes declared by default.

"My Macros" is in trusted zone by default, as mentioned above, with security level "Medium", it does not matter if you disable macros, your macro from "My Macros" will be executed.

> I declared the directories where I save the databases as trusted origin but
> it does not seem to work; the warning message on macros and viruses keeps
> showing. 

This works for me:

Add a Macro Module to the *.odb file and set security level to "Medium" or "Very high" and add the directory where the *.odb file is stored to trusted zone.
Comment 7 Pedro 2019-10-19 16:25:40 UTC
Thanks Oliver.
I assume that there is no need to declare the database files to the trusted zone since the macros are already in the trusted zone by default.
Comment 8 Alessandro Tassi 2020-02-05 06:57:08 UTC
Created attachment 157652 [details]
odb file

odb file asking for macro permission every time a form is asked to be opened
Comment 9 Alessandro Tassi 2020-02-05 06:58:14 UTC
Hi,
I have tried creating a new profile, re-created macro libraries and then erased my macros. I have changed my db source from mysql jdbc connection to a fake spreadsheet file (see attachments "soffice.ods"). 
The confirmation is asked every time I try to open a new form window although the security macro level is set to "medium".
The problem is independent from DB connection or specific macros, as from personal profile.
I suspect the problem is inside the odb file (attached).
Could you verify as well?
Thanks a lot
Alessandro
Comment 10 Alessandro Tassi 2020-02-05 06:59:51 UTC
Created attachment 157653 [details]
fake source ods file
Comment 11 Alessandro Tassi 2020-06-08 02:49:42 UTC
I have tried changing profile and creating new file: if I paste the same forms the problem is still there: every time I open the forms this anoising window advising "the document contains macros..." appears.
Another strange behaviour is that selecting either "enable" or "disable" button the macros work! 
So I think the problem is inside form files and I should recreate them manually but it's a huge work.
Comment 12 Alessandro Tassi 2020-06-08 07:02:04 UTC
Now the matter is clearer: the problem occurs every time I try to open a form containing a button linked to a basic macro.
It occurs with new profile and with new files too, even inserting db directory origin in trusted sources list.
The advice window appears either with medium or high macro security level (although with different alert) every time I try to open the form.
Then the macro works independently from my answer.
Comment 13 Buovjaga 2020-06-08 18:07:12 UTC
Bibisected with Linux64-6.4 to https://git.libreoffice.org/core/+/b3edf85e0fe6ca03dc26e1bf531be82193bc9627%5E!/
warn on load when a document binds an event to a macro

Adding Cc: to Caolán McNamara

I used Oliver's instructions from comment 4. The warning either appears or doesn't upon double-clicking the form Autores.

Based on the commit message, not sure if this is the intended result rather than a bug?
Comment 14 Caolán McNamara 2020-06-08 19:43:28 UTC
It was a deliberate change (due to the flood of CVE-2019-9848, CVE-2019-9852, CVE-2019-9851, CVE-2019-9850, CVE-2019-9853, CVE-2019-9855 and CVE-2019-9854) to warn about documents that merely *call* macros equivalently to documents that *contain* macros. 

In this case I suspect the approach of comment #5, adding a trusted document location and using it for the trusted odb, is something that should have worked. Maybe it doesn't work because the forms are inside a .odb that itself is inside the trusted location, so my first instinct is to see if that could be made work.
Comment 15 Caolán McNamara 2020-06-09 07:57:29 UTC
https://gerrit.libreoffice.org/c/core/+/95861 seems to work
Comment 16 Oliver Brinzing 2020-06-10 03:48:41 UTC
*** Bug 133814 has been marked as a duplicate of this bug. ***
Comment 17 Andreas Säger 2020-06-11 13:21:46 UTC
Adding a macro to get rid of the macro warning feels funny, indeed.
Comment 18 Commit Notification 2020-06-19 15:14:25 UTC
Caolán McNamara committed a patch related to this issue.
It has been pushed to "master":

https://git.libreoffice.org/core/commit/02e20dfa733d050e9d37285ad36323b2aad46ffe

tdf#128006 allow documents inside odbs to be as trusted as their container

It will be available in 7.1.0.

The patch should be included in the daily builds available at
https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
https://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 19 Commit Notification 2020-06-19 15:15:46 UTC
Caolán McNamara committed a patch related to this issue.
It has been pushed to "libreoffice-7-0":

https://git.libreoffice.org/core/commit/ac65ade24aa10c0a39d7d38576ad54bd00724455

tdf#128006 allow documents inside odbs to be as trusted as their container

It will be available in 7.0.0.1.

The patch should be included in the daily builds available at
https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
https://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 20 Caolán McNamara 2020-06-19 15:22:50 UTC
That should make subdocuments hosted in an odb which is in a "trusted location" as trusted as their wrapper odb document so odbs like this can be put into a designated "trusted location" and the warnings won't appear.

Fixed in master and 7-0. Not yet in 6-4, lets give it some time in there to test for fallout before backporting
Comment 21 Commit Notification 2020-07-01 09:28:52 UTC
Caolán McNamara committed a patch related to this issue.
It has been pushed to "libreoffice-6-4":

https://git.libreoffice.org/core/commit/f9bd290d08f08464103372633462421ba0918754

tdf#128006 allow documents inside odbs to be as trusted as their container

It will be available in 6.4.6.

The patch should be included in the daily builds available at
https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
https://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.