LOC-Extension icon indicating copy to clipboard operation
LOC-Extension copied to clipboard

Published 20 hours ago verified publisher icon walkjivefly

Serious vulnerability issue

Open lbayle opened this issue 2 years ago • 2 comments

Hi, the 0.3.0 branch comes with a RUNCOMMAND() function which allows to execute any external command. This, IMHO is a major security issue.

It would be extremely simple to introduce a keylogger, spyware, rootkit or download any type of malware from a spreadsheet (Starting with Examples.ods )

So I strongly recommend to deactivate this function in the code and recompile before you install the plugin.

As we all know, the cryptocurrency world is full of hackers & thieves, so be warned

Best regards

lbayle avatar Feb 05 '23 18:02 lbayle

Fair point.

I see it as a useful tool for sheets I created. If running someone else's sheet then it's a more risky proposition.

Anyone building the v0.3 branch for themselves should bear your concern in mind and deactivate the function if they don't have a compelling usecase for it.

walkjivefly avatar Feb 05 '23 20:02 walkjivefly

Here is a v0.3.2 version without the RUNCOMMAND and including my fix for LibreOffice 7.4

https://github.com/lbayle/LOC-Extension/blob/master/LOC.oxt

lbayle avatar Feb 08 '23 18:02 lbayle