Apache OpenOffice (AOO) Bugzilla – Issue 52050
MS Password preventing editing is ignored by OO, a potentially serious security risk
Last modified: 2013-08-07 14:38:26 UTC
I have OpenOffice v109 and work on an NT box with MS Office 97. I was testing how OpenOffice handled Microsofts password encrypted files when I found a potential bug. OpenOffice respected the passwords that do not allow users to open particular documents, however if the document was only given a password (when being created in MS Office) to prevent editing, OpenOffice could open the document, edit it, and save it with name without having to type in the password. This is a serious security concern, in this case it would be better that it couldn't open the document at all. This issue is present in both Writer and Calc and I haven't tested out impress as of yet. Before I can roll this out to my company I really need to know how to alleviate this problem. Thanks Robert Volke
MRU->FL: currently it is possible to overwrite a password protected MS Office document with a password-less version. Though OO give a kind of Warning message, I do not think that this is really applicable; others think it is. So we need a decision here.
FT->MRU: Erm, you addressed FL not FT but assigned the issue to FT (me). Any reason?
Yeah... the reason was a typo in above comment. Should read "MRU->FT"...
FT: Since most people lived with this behaviour for quite some time (and also agreed on this issue) and given the fact that PP1 and PP2 are basically "full" I re-target this issue to later and reassign it to FL (who is our Writer specialist in this matter).
FL: Retargeted to OOo 2.0.2. for further evaluation. Current recommendation: New dialog on loading such a document. If possible ask for entering password to edit, else open document read-only after showing a notification dialog. Also try to keep password if opened for edit mechanism could be implemented.
*** Issue 53521 has been marked as a duplicate of this issue. ***
FL: I have corrected target to OOo 3..0 since PP2 addresses other kind of issues.
set target to OOo 2.x
Set target to OOo later.