Bug 83447 - FILESAVE: Password protected documents have a visible preview
Summary: FILESAVE: Password protected documents have a visible preview
Status: RESOLVED DUPLICATE of bug 80755
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: Writer (show other bugs)
Version:
(earliest affected)
4.3.1.2 release
Hardware: Other All
: medium normal
Assignee: Not Assigned
URL:
Whiteboard: BSA
Keywords:
Depends on:
Blocks:
 
Reported: 2014-09-03 17:18 UTC by Sebastiano
Modified: 2014-09-03 18:34 UTC (History)
1 user (show)

See Also:
Crash report or crash signature:

Attachments
Document + screenshot (45.54 KB, application/empty)
2014-09-03 17:18 UTC, Sebastiano 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastiano 2014-09-03 17:18:48 UTC 
Created attachment 105697 [details]
Document + screenshot

Problem description: 

Steps to reproduce:
1. Open the attached document (the password is Password1)
2. Close it 
3. Open Libreoffice (soffice.exe)

Current behavior:
In the main page you can see the preview (text and picture) of the password protected document.

Expected behavior:
A Password protected document content should not be - in any way - inspected. 
Also if you open the odt file as zip archive you can see that the document contains a jpg image. In the previous libreoffice versions even the original name of the jpg (cat.jpg in his example) file was mantained. This is not good because you can argue info about the document content, event if it is password protected.
              
Operating System: All
Version: 4.3.1.2 release
Comment 1 Maxim Monastirsky 2014-09-03 17:32:55 UTC 
Hi Sebastiano,

(In reply to comment #0)
> In the main page you can see the preview (text and picture) of the password
> protected document.
This is fixed for the next stable release (4.3.2).

> Also if you open the odt file as zip archive you can see that the document
> contains a jpg image. In the previous libreoffice versions even the original
> name of the jpg (cat.jpg in his example) file was mantained.
Sorry but I don't understand. Your file indeed contains a jpg file, but it's named 10000000000000EE000000D48748309C.jpg.

*** This bug has been marked as a duplicate of bug 80755 ***
Comment 2 Sebastiano 2014-09-03 17:45:15 UTC 
Need to be sure that every jpg file is renamed, because in the past (previous version of libreoffice or openoffice - I don't remember) the original jpg file name was mainained.

Anyway even without password I can know that the document contains a some pictures, and also I can know the exact number of pictures. 
A encrypted document should show no information at all about its content.
Comment 3 Maxim Monastirsky 2014-09-03 18:34:07 UTC 
(In reply to comment #2)
> Anyway even without password I can know that the document contains a some
> pictures, and also I can know the exact number of pictures.
So what? It gives you absolutely nothing as long as you can't see the actual contents of those pictures. It's like saying that password-protected ZIP files are bad, because you can list their contents.

> A encrypted document should show no information at all about its content.
The standard [1] just says that individual files inside the archive can be encrypted. It doesn't say that the file structure should/can be changed. Now, it should be technically possible to inline the images inside the xml file (or something similar), but I see no point in doing that.

[1] http://docs.oasis-open.org/office/v1.2/os/OpenDocument-v1.2-os-part3.html#__RefHeading__752811_826425813