Bug Hunting Session
Bug 83665 - External images should not be loaded by default, but should show an infobar that allows them to be loaded
Summary: External images should not be loaded by default, but should show an infobar t...
Status: NEW
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: UI (show other bugs)
Version:
(earliest affected)
4.3.1.2 release
Hardware: All All
: medium enhancement
Assignee: Not Assigned
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: Infobar
  Show dependency treegraph
 
Reported: 2014-09-09 12:36 UTC by Matthew Francis
Modified: 2016-05-27 20:43 UTC (History)
3 users (show)

See Also:
Crash report or crash signature:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthew Francis 2014-09-09 12:36:19 UTC
Externally linked images are currently loaded in Writer (and presumably for other document types as well) by default upon document load.

For several reasons, including the fact that this means documents can be web-bugged under the default configuration, and the fact that from time to time image parsing exploits occur, this does not seem like a sensible default security setting.
(While an exploit image could as well be inserted directly into the document, existing documents and templates would become silently exploitable by anyone able to replace the target of existing HTTP-linked images, contrary to a user's expectation that they'd have to actually download a document to be vulnerable)

Although this can be disabled globally in Options - LibreOffice - Security - "Block any links from documents not among the trusted locations", I believe it would be better good user experience for this to be an always/never/ask tristate, with an infobar to allow loading (and possibly also linking to the "Edit - Links" dialog to list the images in question?)

(* Is there also an option somewhere which applies specifically to image links? I thought there was, but can't presently find one. The above option allows for exceptions to be added for filesystem locations under the "Macro Security..." dialog, but apparently not for arbitrary URLs. Some way of specifying URL exceptions could also be useful)


See also bug 83662 - which allows images to be inserted in documents that cannot be seen in the Navigator
Comment 1 Yousuf Philips (jay) (retired) 2014-09-09 19:51:20 UTC
Yes i think it maybe a good idea to implement something like this, similar to how thunderbird has an infobar stating 'to protect your privacy, thunderbird has blocked remote content in this message' and then gives a drop down menu with options to allow remote content for a particular website and edit remote content preferences.
Comment 2 Jean-Baptiste Faure 2014-09-14 12:16:49 UTC
This is a great idea of enhancement. :-)

Best regards. JBF
Comment 3 Jérôme Augé 2015-01-30 08:12:19 UTC
I just stumbled on this case (i.e. automatic loading of external resources) with a LibreOffice in server mode (but also with the desktop version).

Is there a way (LibreOffice setting or option) to disable the loading of external HTTP resources?

Otherwise, this means an outside attacker can perform arbitrary HTTP requests from within a corporate LAN for example.

The attacker creates a document with special "xlink:href" URLs designed to exploit internal services. It then sends this document to a corporate user which will open the file from his computer on the LAN, and LibreOffice will perform the HTTP requests designed by the attacker.

I consider this a serious security threat. In a sense, it looks like the XXE (XML External Entity Processing) vulnerabilities.

Without a global security switch to disable the loading of these external resources, the only solution I see to mitigate this is to manually sanitize the "content.xml", to remove any images having HTTP URLs in "xlink:href", before opening the document with LibreOffice.

Regards,
Jérôme