Apache OpenOffice (AOO) Bugzilla – Issue 122322
Password protected spreadsheet opens without password, possibly after recovery
Last modified: 2018-10-18 02:11:01 UTC
Please attach example
AOO 4.0, just had this happen as well. I'm not sure what you would want attached? I have a spreadsheet that would have been created at some point in 3.x, I've recently updated one machine, and was working in 4.0 so it would have been saved in that version. I then was working on a machine that had 3.4, resaved. I updated that machine to 4.0, and during a power outage, spreadsheet was saved and recovered, however it was recovered without the password protection. I'm not sure if the version savings had anything to do with it, but wanted to share it as it might.. I'll try to reproduce, with a non critical spreadsheet. I'm also on Windows 7.
I have been unable to reproduce this again. I've tried it a few different ways and it's always asking for the password now..
This just occurred again. Lost electricity last night. I restarted my computer last night and updated windows. I didn't open the spreadsheet. This morning I restarted my computer for the update, and just opened the spreadsheet that should be password protected. I received the recovery message. Spreadsheet was recovered and opened withOUT the password. I then closed and saved the spreadsheet and it is now no longer protected. I'd be happy to provide any additional information from my system. This is a huge security issue imho. I'm running windows 7 home edition x64 AOO400m3(Build:9702) - Rev. 1503704 2013-07-16 14:54:56 (Di, 16 Jul 2013)
Confirmed per comment 4.
ver. 4.0.1. password secured files can be opened without the password protection after the re-covery from the cras&restart of Calc
FYI: LO has the same security issue: https://bugs.freedesktop.org/show_bug.cgi?id=51819 Some more info about this: The problem behind this issue is that the recovery file gets always saved unencrypted (unprotected) even for a password-protected file (you can check this in the user backup directory: if the content.xml inside the document is plain-text than it is unencrypted). The issue seems to be introduced by the changes for bug 119366 (revision 1354039): now SID_ENCRYPTIONDATA is also cleared in PreDoSaveAs_Impl, and so the recovery file is saved without encryption info (AutoRecovery also uses Save As to save the file). I suppose (cannot check it though) that the solution to this issue could be to modify the implts_saveOneDoc function in this file: http://svn.apache.org/viewvc/openoffice/trunk/main/framework/source/services/autorecovery.cxx?view=markup and to put PROP_ENCRYPTIONDATA also into lNewArgs (similar to PROP_PASSWORD around line 2417), so that the PreDoSaveAs_Impl could paste the encryption data from pParams (as from the original document it is cleared now due to the changes). Hope it helps!
This took me by surprise back in 3.4.1 when it happened awhile back. Wasn't sure if I had made an error, but it just happened again, in 3.4.1 only this time I was sure I had not made a mistake. File was open during an overnight windows update and after rebooting I opened the file, recovered and found password had vanished. I just upgraded to 4.1.0 and this problem persists and is reproducible. Perhaps change the version info for this issue to note it happens in Version 4.1.0? change Issue type from Defect to Security? Win7 Pro 64bit OO 4.1.0 spreadsheet in .ods format Scenario: Put a password on spreadsheet .ods file: File > Save as > Save with password Make an edit to a cell, wait for Autosave to happen (I chose 3-minute autosave interval :Tools > Options > Load/Save> General > Save Autorecovery information every 3 min) Kill the program from task manager: scalc.exe, and soffice.bin; soffice.exe dies by itself Re-open the file and get recovery prompt, choose to recover and file recovers and opens with no password on it Would like confirmation that a workaround is to turn off autorecovery saving Would like priority on this raised since it is a security issue. Please.
Adding Issue #127652 to see also. I suspect these two are related as to root cause but need someone experienced in the code base to verify that assumption.
*** Issue 127652 has been marked as a duplicate of this issue. ***
I can confirm this and my diagnosis is the same. The sequence to reproduce is (Win 7, AOO 4.1.5): 1 Tools > Options > Load/Save > General. Tick Save AutoRecovery information every [ 1] minutes. 2 Open password protected file fred.ods. This creates an encrypted copy of fred.ods in C:\Users\xxxxxx\AppData\Local\Temp\. There is no problem with this file as it is encrypted. 3 Do some edits. Wait until an AutoRecovery takes place. 4 AutoRecovery creates a file C:\Users\xxxxxx\AppData\Roaming\OpenOffice\4\user\backup\fred.ods_0.ods. This file is not encrypted. 5 Cause AOO to crash by TaskManager > Processes. Highlight scalc.exe > right-click > End process tree. AOO crashes and leaves C:\Users\xxxxxx\AppData\Roaming\OpenOffice\4\user\backup\fred.ods_0.ods. (Note TaskManager > Applications > OpenOffice Calc > END PROCESS does not crash AOO - it brings up the SAVE or CANCEL screen.) 6 Start AOO. You are given the Recovery screen. Accept. When AOO recovers fred.ods, AOO finds C:\Users\xxxxxx\AppData\Roaming\OpenOffice\4\user\backup\fred.ods_0.ods and opens it - as it is not encrypted it opens without a password. The problem has been reported in the forum as "File password disappeared after user profile reset" at https://forum.openoffice.org/en/forum/viewtopic.php?f=9&t=95553
1 The same problem occurs with Writer and a .odt file so I assume it occurs for all AOO applications and their files - it is not just a Calc problem. 2 Go Tools > Options > Load/Save > General ..., and tick Always create a backup copy. Open fred.ods or fred.odt, where the file is password protected. 3 AOO now creates a backup file C:\Users\xxxxxx\AppData\Roaming\OpenOffice\4\user\backup\fred.bak. fred.bak is encrypted. It therefore appears that: The AutoRecovery file C:\Users\xxxxxx\AppData\Roaming\OpenOffice\4\user\backup\fred.ods_0.ods is NOT encrypted. The temporary file C:\Users\xxxxxx\AppData\Local\Temp\sv91rr5n.tmp\sv91rrfl.tmp (say) is encrypted. The backup file C:\Users\xxxxxx\AppData\Roaming\OpenOffice\4\user\backup\fred.bak is encrypted.