Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Join us at Qlik Connect for 3 magical days of learning, networking,and inspiration! REGISTER TODAY and save!

"Open URL" and "Launch" disabled for document sheet buttons in latest QlikView Plugin releases

No ratings
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sonja_Bauernfeind
Digital Support
Digital Support

"Open URL" and "Launch" disabled for document sheet buttons in latest QlikView Plugin releases

Last Update:

Sep 24, 2020 7:14:42 AM

Updated By:

Sonja_Bauernfeind

Created date:

Aug 13, 2020 5:50:35 AM

A document sheet can have buttons, which in turn can have associated Actions. 

These Actions can be of several types, but there are two in particular which have been disabled in the Internet Explorer Plugin due to security concerns:

  • Launch
  • Open URL

buttons.png

 

See QV-20715: Remote Code Execution RCE. QvPlugin IE for QCS 

To benefit from the security fixes the Internet Explorer plugin need to be updated.

After an update, the disabled features can be re-enabled (not recommended). 

Environment:

QlikView April 2020 12.50 SR1
QlikView April 2019 12.40 SR4
QlikView November 2018 12.30 SR5
QlikView November 2017 12.20 SR11
QlikView 11.20 SR21

 

Resolution

A new switch has been added to re-enable these functionalities. Please, consider that this is a security risk. The setting needs to be changed on each individual Internet Explorer Plugin installation. 

  • Locate: Edit the settings.ini file in C:\Users\username\AppData\Roaming\QlikTech\QlikView
  • in the [Settings 7] section add the line Allow20715=1 

 

Labels (1)
Labels:
6,137 Views
Was this article helpful? Yes No
Comments
peterwh
Creator II
Creator II
‎2020-09-07 03:32 AM

Hello,

Is there any other option to get this functionality back (starting a external program) without the setting mentioned in this post (but with security hints for the user for example)?

Kind regards
Peter Hübschen

Sonja_Bauernfeind
Digital Support
Digital Support
‎2020-09-07 05:38 AM

Hello @peterwh 

Once the Plugin and/or Desktop have been upgraded with the fix, regaining the functionality will require the documented workaround. 

Kind Regards, 

Sonja 

peterwh
Creator II
Creator II
‎2020-09-11 05:17 AM

Hello @Sonja_Bauernfeind ,

I've encountered another problem with this patch. We're using  a straight table chart in all of our dashboards to link to the dashboard documentations, which are hosted on a (internal) wiki-site. This doesn't work anymore.

It's not button related but I think in the background the same procedure is called. I think it would be useful if this information was provided too.

But I think Qlik should reconsider this patch, because useful use cases are broken - in my opinion.

Kind regards,

Peter Hübschen

peterwh
Creator II
Creator II
‎2020-09-11 05:26 AM

"meta_Doku_Link" is like "<url>http://...""meta_Doku_Link" is like "<url>http://..."

glacoste
Creator
Creator
‎2020-09-17 09:26 AM

@Sonja_Bauernfeind  Could you detail what are the "security risks" of including a controlled link in a QlikView panel? It is a basic feature that any program should support, please detail.

peterwh
Creator II
Creator II
‎2020-09-17 09:59 AM

Hello @glacoste ,

after all what I've read and what the fix does whose provided by Qlik, I think the security risk is a global one.

I think the set-up is something like this:
If you open a QlikView-dashboard from a foreign site with Internet Explorer in plugin-mode, there could be a link to a website with malware or behind a button is a execution of a malware program, to gain access to your local system. ActiveX and Internet Explorer was never a truly secure combination.

It's too bad that Qlik simply cut off this functionality. I would find it better if you could define secure site-addresses where this functionality is still working (like a intranet-sites) and if a site is not on this list there would be a warning message, that this functionality is not availaible or something.

Kind regards

Peter

Sonja_Bauernfeind
Digital Support
Digital Support
‎2020-09-18 07:13 AM

@glacoste @peterwh summarized this nicely! I checked with our Product Team to confirm 🙂

As for the functionality having been switched off and the suggestion that you raised, @peterwh: These are great suggestions! I'd recommend that you hop over to our Ideas forum and leave this feedback there as an idea/Feature Request. This will help our developers understand use cases and highlights your needs as a customer. 

 https://community.qlik.com/t5/Ideas/idb-p/qlik-ideas

 

Anonymous
Not applicable
‎2020-10-02 03:25 AM

HI!

I just checked with the latest QV12.50SR2 Release and hyperlinks in tables are disabled.

 

Here a screenshot how an enduser can change it back to the old behavior manually.

rva_heldendaten_0-1601623504072.png

 

 

peterwh
Creator II
Creator II
‎2020-10-02 03:40 AM

Hi,

but if you do that the security fix is disabled! As I said it's bad that all hyperlinks are disabled, if you want to use the security fix.

Kind regards
Peter

Anonymous
Not applicable
‎2020-10-02 03:43 AM

@peterwh : Totally agree. But I can't change the current release. Therefore I posted the screenshot - may it help some enduser. At least you don't have to edit it manually in some settings.ini

 

 

Contributors
Version history
Last update:
‎2020-09-24 07:14 AM
Updated by:
Digital Support