Bug 155419 - PDF's created with the "export to PDF" option are flagged "as executable and may harm" when posted to Google Drive
Summary: PDF's created with the "export to PDF" option are flagged "as executable and ...
Status: NEW
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: Printing and PDF export (show other bugs)
Version:
(earliest affected)
7.4.6.2 release
Hardware: All All
: medium normal
Assignee: Not Assigned
URL:
Whiteboard:
Keywords: difficultyBeginner, easyHack, skillCpp
Depends on:
Blocks: PDF-Export
  Show dependency treegraph
 
Reported: 2023-05-20 10:27 UTC by Ton Kronos
Modified: 2023-11-19 21:15 UTC (History)
7 users (show)

See Also:
Crash report or crash signature:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ton Kronos 2023-05-20 10:27:37 UTC 
When creating a pdf in LibreOffice with the "export to PDF" option, the resulting file is tagged as malicious in Google Drive.

Steps to reproduce:
1. Create a new document in LibreOffice and save it as PDF.
2. Upload it to Google Drive.
3. Get a link to share the pdf with anyone.
4. Paste the link to in a browser to download the file.
5. Google Drive shows a warning message: "This file is executable and may harm your computer".

This behavior is due to a string that LibreOffice inserts in the code of the pdfs. The string is /OpenAction [ 1 0 R /XYZ null null 0 ]. It would be nice to have this /OpenAction disabled by default.

In this post there is an analysis of a pdf created this way with LibreOffice: https://ask.libreoffice.org/t/google-drive-says-pdfs-created-with-libreoffice-are-executable-files/91094/21?u=eugenioh

In this other post there is a workaround: https://ask.libreoffice.org/t/google-drive-says-pdfs-created-with-libreoffice-are-executable-files/91094/25?u=eugenioh
Comment 1 Julien Nabet 2023-05-20 13:41:17 UTC 
Perhaps I wrongly read the links provided but the pb here is Google not LO.
I mean /OpenAction is ok here and doesn't do anything malicious.
Comment 2 Mike Kaganski 2023-05-20 15:38:55 UTC 
It is important to use the correct wording.

Google does not tag the files as "malicious files". It detects a code in the PDF which executes an *arbitrary* action *automatically* when the PDF is opened, and then informs the user about that fact, telling literally this:

> Google Drive can't scan this file for viruses.
> This file is executable and may harm your computer.

This same warning would appear for *any* executable file, and does not *claim* that the file is malicious, but warns that it executes something, and they don't know what.

This is reproducible. And it is unclear, why the *automatic action* is necessary for the *default* case, when all that we want is to show the very first page (using the default scale).

So, this issue could be fixed by making the code that adds the action conditional - not executing in case when the very first page is shown with default settings. The code is https://opengrok.libreoffice.org/xref/core/vcl/source/gdi/pdfwriter_impl.cxx?r=7ea34aa6#5305

and the condition could be simply 'm_aContext.InitialPage > 0'.

A separate improvement could be, if the dialog shown some infobar in case of other settings, which would add the action - to inform the user that "this PDF will include an OpenAction command, and can be flagged as executable by some programs".
Comment 4 Carlo Bertelli 2023-11-19 21:15:50 UTC 
This happened to me when I was using CAC signature. It's the first time and version 7.4.6.2 happens to do it consistently.
Italian certified email (PEC) stops messages with these attachments as well.
VirusTotal says: "The sandbox DOCGuard flags this file as: GREYWARE"