Bug 71322 - [SECURITY] Password protected editing removed after saving to XLS and probably other formats
Summary: [SECURITY] Password protected editing removed after saving to XLS and probabl...
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: Calc (show other bugs)
(earliest affected) release
Hardware: Other All
: high major
Assignee: Not Assigned
Depends on:
Blocks: XLSX Password-Protected XLS
  Show dependency treegraph
Reported: 2013-11-06 19:41 UTC by Mikeyy - L10n HR
Modified: 2018-10-19 13:42 UTC (History)
4 users (show)

See Also:
Crash report or crash signature:

Test password file (12.03 KB, application/vnd.oasis.opendocument.spreadsheet)
2013-11-06 19:41 UTC, Mikeyy - L10n HR

Note You need to log in before you can comment on or make changes to this bug.
Description Mikeyy - L10n HR 2013-11-06 19:41:50 UTC
Created attachment 88779 [details]
Test password file

This is similliar to bug 71281.

1. Open test file which is password protected. Password 1234 will open file but you won't be able to edit it since I set different password for editing.
2. Save as -> XLS file
3. You will be prompted for new password.
4. After you enter new password, you can edit file without problems.
Comment 1 ign_christian 2014-07-01 13:36:09 UTC
Reproducible with LO and - Ubuntu 12.04 x86

(In reply to comment #0)
> 2. Save as -> XLS file
> 3. You will be prompted for new password.
No need to do it. Just uncheck "Save with password" in Save as dialog box.
Comment 2 QA Administrators 2016-02-21 08:34:46 UTC Comment hidden (obsolete)
Comment 3 Tom 2016-07-20 00:10:19 UTC Comment hidden (off-topic)
Comment 4 QA Administrators 2017-11-30 06:25:59 UTC Comment hidden (obsolete)
Comment 5 Justin L 2018-10-19 13:42:47 UTC
It could be a very bad security practice to export passwords between formats - especially XLS which will have weaker protections. Calc doesn't actually know your password - just the hash, so it can't convert from one hash to another without knowing the original password anyway.

The only option would be to prompt for a new password for the edit protection when saving to a different format. That would get awfully complicated, checking on every save whether formats are being switched and passwords are missing etc. I think this can safely be marked as WONTFIX.