Issue 52050 - MS Password preventing editing is ignored by OO, a potentially serious security risk
Summary: MS Password preventing editing is ignored by OO, a potentially serious securi...
Status: CONFIRMED
Alias: None
Product: Writer
Classification: Application
Component: open-import (show other issues)
Version: OOo 2.0 Beta
Hardware: PC Windows NT
: P3 Trivial with 4 votes (vote)
Target Milestone: ---
Assignee: AOO issues mailing list
QA Contact:
URL:
Keywords:
: 53521 (view as issue list)
Depends on:
Blocks:
 
Reported: 2005-07-15 20:04 UTC by rvolke
Modified: 2013-08-07 14:38 UTC (History)
5 users (show)

See Also:
Issue Type: DEFECT
Latest Confirmation in: ---
Developer Difficulty: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.
Description rvolke 2005-07-15 20:04:34 UTC 
I have OpenOffice v109 and work on an NT box with MS Office 97.  I was testing 
how OpenOffice handled Microsofts password encrypted files when I found a 
potential bug.  OpenOffice respected the passwords that do not allow users to 
open particular documents, however if the document was only given a password 
(when being created in MS Office) to prevent editing, OpenOffice could open the 
document, edit it, and save it with name without having to type in the 
password.  This is a serious security concern, in this case it would be better 
that it couldn't open the document at all.  This issue is present in both 
Writer and Calc and I haven't tested out impress as of yet.  Before I can roll 
this out to my company I really need to know how to alleviate this problem.  
Thanks

Robert Volke
Comment 1 michael.ruess 2005-07-18 14:30:42 UTC 
MRU->FL: currently it is possible to overwrite a password protected MS Office
document with a password-less version. Though OO give a kind of Warning message,
I do not think that this is really applicable; others think it is. So we need a
decision here.
Comment 2 falko.tesch 2005-08-11 08:29:20 UTC 
FT->MRU: Erm, you addressed FL not FT but assigned the issue to FT (me). Any reason?
Comment 3 michael.ruess 2005-08-11 09:05:59 UTC 
Yeah... the reason was a typo in above comment. Should read "MRU->FT"...
Comment 4 falko.tesch 2005-08-17 08:57:09 UTC 
FT: Since most people lived with this behaviour for quite some time (and also
agreed on this issue)  and given the fact that PP1 and PP2 are basically "full"
I re-target this issue to later and reassign it to FL (who is our Writer
specialist in this matter).
Comment 5 frank.loehmann 2005-08-17 09:45:07 UTC 
FL: Retargeted to OOo 2.0.2. for further evaluation.

Current recommendation:
New dialog on loading such a document. If possible ask for entering password to
edit, else open document read-only after showing a notification dialog. Also try
to keep password if opened for edit mechanism could be implemented.
Comment 6 frank 2005-09-15 12:00:45 UTC 
*** Issue 53521 has been marked as a duplicate of this issue. ***
Comment 7 frank.loehmann 2005-11-10 13:49:49 UTC 
FL: I have corrected target to OOo 3..0 since PP2 addresses other kind of issues.
Comment 8 frank.loehmann 2006-07-13 16:39:38 UTC 
set target to OOo 2.x
Comment 9 frank.loehmann 2007-09-07 10:43:34 UTC 
Set target to OOo later.