Bug Hunting Session
Bug 71322 - [SECURITY] Password protected editing removed after saving to XLS and probably other formats
Summary: [SECURITY] Password protected editing removed after saving to XLS and probabl...
Status: RESOLVED WONTFIX
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: Calc (show other bugs)
Version:
(earliest affected)
4.1.3.2 release
Hardware: Other All
: high major
Assignee: Not Assigned
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: XLSX Password-Protected XLS
  Show dependency treegraph
 
Reported: 2013-11-06 19:41 UTC by Mikeyy - L10n HR
Modified: 2018-10-19 13:42 UTC (History)
4 users (show)

See Also:
Crash report or crash signature:


Attachments
Test password file (12.03 KB, application/vnd.oasis.opendocument.spreadsheet)
2013-11-06 19:41 UTC, Mikeyy - L10n HR
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Mikeyy - L10n HR 2013-11-06 19:41:50 UTC
Created attachment 88779 [details]
Test password file

This is similliar to bug 71281.

Steps:
1. Open test file which is password protected. Password 1234 will open file but you won't be able to edit it since I set different password for editing.
2. Save as -> XLS file
3. You will be prompted for new password.
4. After you enter new password, you can edit file without problems.
Comment 1 ign_christian 2014-07-01 13:36:09 UTC
Reproducible with LO 4.2.5.2 and 4.3.0.1 - Ubuntu 12.04 x86

(In reply to comment #0)
> 2. Save as -> XLS file
> 3. You will be prompted for new password.
No need to do it. Just uncheck "Save with password" in Save as dialog box.
Comment 2 QA Administrators 2016-02-21 08:34:46 UTC Comment hidden (obsolete)
Comment 3 Tom 2016-07-20 00:10:19 UTC Comment hidden (off-topic)
Comment 4 QA Administrators 2017-11-30 06:25:59 UTC Comment hidden (obsolete)
Comment 5 Justin L 2018-10-19 13:42:47 UTC
It could be a very bad security practice to export passwords between formats - especially XLS which will have weaker protections. Calc doesn't actually know your password - just the hash, so it can't convert from one hash to another without knowing the original password anyway.

The only option would be to prompt for a new password for the edit protection when saving to a different format. That would get awfully complicated, checking on every save whether formats are being switched and passwords are missing etc. I think this can safely be marked as WONTFIX.