Bug 36017 - Security: Make Extension manager the only way to install addons (Not directly from file manager, not directly from browser)
Summary: Security: Make Extension manager the only way to install addons (Not directly...
Status: RESOLVED WORKSFORME
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: UI (show other bugs)
Version:
(earliest affected)
unspecified
Hardware: All All
: medium enhancement
Assignee: Not Assigned
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: Extension-Manager
  Show dependency treegraph
 
Reported: 2011-04-06 00:44 UTC by Manuel Reimer
Modified: 2017-11-30 21:52 UTC (History)
3 users (show)

See Also:
Crash report or crash signature:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Manuel Reimer 2011-04-06 00:44:01 UTC
Firefox (as an example of another application with addon support) already realized that addons may get a potential security risk, some time ago.

They have whitelists of sites, allowed to install addons and prompt the user that installing addons may cause security/privacy problems.

In my opinion it shouldn't be too easy to install addons. So for example the file type "oxt" shouldn't be registered to LibreOffice at all (Mozilla doesn't register their XPI to Firefox, also).

The extension manager should be the only way to install new addons, so a user has to explicitly enter a installation process and doesn't think he just opens some kind of document.
Comment 1 Olivier Hallot 2011-04-06 14:44:43 UTC
Listed in the wiki as whishlist, albeit in a slightly different approach

http://wiki.documentfoundation.org/Development/Enterprises_nice-to-have#Extensions_UI_should_be_disableable
Comment 2 Björn Michaelsen 2011-12-23 12:06:43 UTC Comment hidden (obsolete)
Comment 3 Florian Reisinger 2012-08-14 14:00:02 UTC Comment hidden (obsolete)
Comment 4 Florian Reisinger 2012-08-14 14:01:11 UTC Comment hidden (obsolete)
Comment 5 Florian Reisinger 2012-08-14 14:05:55 UTC Comment hidden (obsolete)
Comment 6 Florian Reisinger 2012-08-14 14:07:56 UTC Comment hidden (obsolete)
Comment 7 sasha.libreoffice 2012-08-31 08:09:35 UTC
something like RFE
Comment 8 Jorendc 2013-01-29 21:40:43 UTC
Thanks for reporting!

(In reply to comment #1)
> Listed in the wiki as whishlist, albeit in a slightly different approach
> 
> http://wiki.documentfoundation.org/Development/Enterprises_nice-to-
> have#Extensions_UI_should_be_disableable

Therefore I mark this as 'NEW' and add a 'See also' in that wiki page.

Kind regards,
Joren
Comment 9 Muhammet Kara 2017-05-26 11:59:00 UTC
Since tdf#26019 has now been closed as fixed, it is possible to disable extension installation via both the Extension Manager and the file manager.
Comment 10 Muhammet Kara 2017-08-24 08:23:29 UTC
Extension installation/removal via GUI (and through browser/file manager) can be disabled after this series of patches:

https://gerrit.libreoffice.org/36688
https://gerrit.libreoffice.org/37990
https://gerrit.libreoffice.org/38283

Is this bug still valid?