Bug 135508 - Relative linked text sections should automatically read on document opening
Summary: Relative linked text sections should automatically read on document opening
Status: REOPENED
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: Writer (show other bugs)
Version:
(earliest affected)
7.0.3.1 release
Hardware: All Windows (All)
: medium enhancement
Assignee: Not Assigned
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: Section
  Show dependency treegraph
 
Reported: 2020-08-06 19:15 UTC by S.Zosgornik
Modified: 2021-02-12 22:14 UTC (History)
6 users (show)

See Also:
Crash report or crash signature:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description S.Zosgornik 2020-08-06 19:15:23 UTC
Description:
Adding text from documents inside other documents is a very handy feature in LibreOffice Writer - e.g. when creating a huge amount of documents with frequently repeating descriptions to basic subjects.

For the reason that LibreOffice Writer can handle relative paths it is even possible to insert all sourcing documents along the main documents and move the resident folder to other places and even send the documents to other persons e.g. as downloaded zip-folder.

However, LibreOffice Writer always ask the user to update the document for the latest state of the linked source-documents during opening of documents with one or more text-sections. This is in my most arrogant opinion not the way text-sections should work and very frustrating for users which have to (re-)open several documents a day.

Steps to Reproduce:
1. Create a document
2. Link one or several source documents as Sections inside the newly created document
3. Close the document and re-open it
4. A text-message will appear ask you "The Document filename contains one or more links to external data. Would you like to change the document and update..."
5.1 you chose "Yes" and the document will update to the latest versions of the source files
5.2 you chose "No" and the document will show its text-sections as the latest saved state

Actual Results:
LibreOffice Writer always ask for users advice for handling text-sections inside documents on every opening of documents that include them.

LibreOffice only updates text-sections on users request.

Expected Results:
LibreOffice Writer should always read the latest and greatest version of sourced text-documents and automatically include corresponding text inside the opening document.

For all: Text can always be inserted statically on creation time be using Insert >> Text from file...


Reproducible: Always


User Profile Reset: No


OpenGL enabled: Yes

Additional Info:
Btw. LibreOffice Writer will never ask the user for updating audio files or images but always include the latest version of a linked file, as they may changed.
Comment 1 Dieter 2020-12-22 15:47:34 UTC
Sascha, I think this is more an enhancement request than a bug, because everything works as it should (but of course, improvement is alwys possible). So let's ask design team.

cc: Design-Team for further input and decision
Comment 2 S.Zosgornik 2020-12-23 00:17:32 UTC
(In reply to Dieter from comment #1)
> Sascha, I think this is more an enhancement request than a bug, because
> everything works as it should (but of course, improvement is alwys
> possible). So let's ask design team.
> 
> cc: Design-Team for further input and decision

Thanks for your replay Dieter. I am from design team myself and open to discuss it in one of our meetings. ATM LibO ALWAYS ask the user to update relative linked documents even if the document itself wasn't changed (open right after last save) and linked documents haven't moved or changed. So LibO always ask without any reason.
Comment 3 Heiko Tietze 2021-01-11 04:49:46 UTC
Understand this question as a security measure. Could agree if author and current user are the same. Mike, what's your take?
Comment 4 Mike Kaganski 2021-01-11 05:12:08 UTC
(In reply to Heiko Tietze from comment #3)
> Understand this question as a security measure.

Absolutely. The request is out of question, because automatically reading an external document (even local one) may lead to all kinds of security/privacy issues, think about documents with URLs to sites that track your IP; the link in fact could be in the document near the main one, if you received several malicious documents in a ZIP, so links to local files are not safe.

> Could agree if author and current user are the same. Mike, what's your take?

An author/user name is not secure data; they are mainly for convenience. No one prevents me from entering the same user name into my copy of LO, if I ever get a sample document from you, and see the user name mentioned there (and even if I never get a document from you, I may prepare several versions of malicious documents with reasonably guessed user names). It could be only used in signed documents, where you can have some level of confidence that the authors are actually what it claims they are ... then how likely would it improve UX for users who "have to (re-)open several documents a day"? Or is it reasonable that users' documents reopened that often are all signed (likely finalized, or else they will nag the users with a different question about "edits will invalidate the signature")?
Comment 5 S.Zosgornik 2021-01-11 10:57:06 UTC
This bug-report wasn't about any external data but relative linked documents on your own hard-drive.

Take two documents, both in the same folder, one is relative linked to the other one. You move the entire folder, the relative link keeps the same but LibO will ask you to update the link. Same happens just to have a relative linked document without any changes. LibO will always ask to update the source documents whenever you open the target.

Steps to reproduce:
- Create a new document
- Link any other document as a section (Insert>Section>Checkmark on "Link" while  Options>Load\Save>Save URLs relative to file system is enable)
-Save and reload the document

Same happens for linked pictures with "Save URLs relative..." enabled
Comment 6 Mike Kaganski 2021-01-11 11:03:06 UTC
(In reply to S.Zosgornik from comment #5)
> This bug-report wasn't about any external data but relative linked documents
> on your own hard-drive.

You seem to not read carefully. Specifically for this case, I explained in comment 4:

> Absolutely. The request is out of question, because automatically reading an
> external document (even local one) may lead to all kinds of security/privacy
> issues, think about documents with URLs to sites that track your IP; the
> link in fact could be in the document near the main one, if you received
> several malicious documents in a ZIP, so links to local files are not safe.

To emphasize the relevant parts:

*even local one*
*the link in fact could be in the document near the main one*

So no, silencing only relatively-referenced local documents is not an option, since it is no less dangerous.

Closing WONTFIX again. Please do not reopen, unless you have a good proposal that addresses the security issues.
Comment 7 S.Zosgornik 2021-01-11 12:39:34 UTC
(In reply to Mike Kaganski from comment #6)

> You seem to not read carefully. Specifically for this case, I explained in
> comment 4:
> 
> > Absolutely. The request is out of question, because automatically reading an
> > external document

Again, you speak about documents with links to external SITES while I speak about locale files. LibreOffice isn't a web-browser nor an email-client. It can't open web-sites other than in plain-text and the only concern would be about external images that could track the users.

So I can totally agree to a secure setting to prevent LibO to open remote files. Similar to the security setting of disable macros by default.

But the dialog says: "The document contains one or more links to external data. Would you like to change the document, and update all links to get the most recent data?" And even if you chose "No" will LibO include the data of the linked document, just not updated to the current version.

Sure. buffer-overrun attempts can happen, even on local files downloaded from the wrong source. But the right solution should be to ask the user to execute macro data and open remote files rather than urge him to confirm his own documents on every opening.
Comment 8 Mike Kaganski 2021-01-11 12:47:03 UTC
(In reply to S.Zosgornik from comment #7)
> Again, you speak about documents with links to external SITES while I speak
> about locale files.

I speak about local files, too. If you automatically open a local file linked to currently opened local file, you are at risk.

> LibreOffice isn't a web-browser nor an email-client. It
> can't open web-sites other than in plain-text and the only concern would be
> about external images that could track the users.

Wrong. You perfectly can reference other ODFs or OOXMLs from e.g. WebDAV (i.e., "http:/...")

> So I can totally agree to a secure setting to prevent LibO to open remote
> files. Similar to the security setting of disable macros by default.
> 
> But the dialog says: "The document contains one or more links to external
> data. Would you like to change the document, and update all links to get the
> most recent data?" And even if you chose "No" will LibO include the data of
> the linked document, just not updated to the current version.

The data is cached in the opened document, so LO does not need to fetch anything from other files.

> Sure. buffer-overrun attempts can happen, even on local files downloaded
> from the wrong source. But the right solution should be to ask the user to
> execute macro data and open remote files rather than urge him to confirm his
> own documents on every opening.

LibreOffice has no way to know if that's your documents or not.

Maybe Caolan and Stephan have their opinion on this?
Comment 9 Caolán McNamara 2021-01-14 16:43:22 UTC
https://www.libreoffice.org/about-us/security/advisories/CVE-2017-3157/
https://www.libreoffice.org/about-us/security/advisories/CVE-2015-4551/
https://www.libreoffice.org/about-us/security/advisories/CVE-2014-3575/

are three historical cases where we issued advisories that there existed cases where documents/links/previews were updated without a warning and we changed things so that wouldn't happen for what that's worth. The advisory arguments, for the normal desktop user case, mostly center around a attacker sending someone a document with a hidden section containing a link to a plausible location in the attacked users file system and convincing them to send it back to the attacker.

IIRC its possible to use tools, options, macro security and "trusted sources" to designate a dir as a "trusted file location" which I think has an effect on this.
Comment 10 S.Zosgornik 2021-01-17 14:26:08 UTC
(In reply to Caolán McNamara from comment #9)
> 
> IIRC its possible to use tools, options, macro security and "trusted
> sources" to designate a dir as a "trusted file location" which I think has
> an effect on this.

Thank you for your reply.
I thought on a security setting, maybe hidden under the advanced options for expert users that know they only work with self-created files or files from trustworthy sources.
But having the possibility to declare directories as "trusted locations" should be the better security solution.
Unfortunately Macro Security>Trusted Sources has no impact for linked documents.
Comment 11 S.Zosgornik 2021-02-01 21:03:50 UTC
(In reply to Caolán McNamara from comment #9)
> 
> IIRC its possible to use tools, options, macro security and "trusted
> sources" to designate a dir as a "trusted file location" which I think has
> an effect on this.

Found the option - it's under 
Tools>Options>LibreOffice Writer/Calc>General>Updates Links when Loading

Writer just doesn't mention "from trusted locations"
Comment 12 Adalbert Hanßen 2021-02-08 14:53:03 UTC
(In reply to S.Zosgornik from comment #0)
> ...
> 
> For the reason that LibreOffice Writer can handle relative paths it is even
> possible to insert all sourcing documents along the main documents and move
> the resident folder to other places and even send the documents to other
> persons e.g. as downloaded zip-folder.

How did you enter relative paths? When browsing, LO Writer always gives a full path like this file:///home/full path to/file.odt.

If I manually change this to 

file:///./file.odt

or to

./file.odt.

I can enter this link (which should be relative links), but the file is not shown in the newly created section.
Comment 13 S.Zosgornik 2021-02-08 19:51:23 UTC
Option in the settings.
Comment 14 S.Zosgornik 2021-02-12 22:14:23 UTC
Don't know about reopening this bug-report. Everything works as expected with the right settings. Only documentation lags the needed informations and there is still bug 128216 open that will always confuse users.