Apache OpenOffice (AOO) Bugzilla – Issue 105852
first start wizard: user data field "Initials" filled with account name
Last modified: 2017-05-20 10:28:57 UTC
Since DEV300m59 the user data field "Initials" is filled in advance with the account name. In my point of view this is a security issue, because the account name should not be included by default into OOo
I'll announce this as a regression stopper.
cd: I checked the changes made for OOo 3.2 and could see a fix from mh for 39230. This issue states "User installations should get preset values from user's system account (first/last name, initials)". So I don't know what we want to do here. cd: Set mh on CC. cd->mh: Could you please give me some more information.
@od,of: can you please explain why this should be a security issue ?
The account name is one essential part of the user's login information. When including it as initials into OOo it can be also inserted via a text field into the documents which are created in OOo. Thus, the user spreads part of his/her login information to other users when sharing documents. This is in my opinion a security issue. BTW, under Windows also the domain name is included in the current default initials.
cd: Add myself on CC.
MD: The current implementation fetches the current USERDOMAIN and USERNAME. Those values do not fit into the Office user settings field INITIALS from my point of view. I understand the intention of this bugfix, but if we can't get any information about INITIALS from the system, we should better leave this feature than implementing it by using wrong data. At least on Windows systems, no information about INITIALS is provided by the system. A user account on Windows platform offers one string for FULLNAME and one for USERNAME. Both are not INITIALS. We can't even use the FULLNAME string in our Office fields NAME and SURENAME since we wouldn't know how to separate parts from FULLNAME. My recommendation is to turn this fix back and leave the fields empty from automation point of view. Leave entering of user data up to the users as it was. Regarding the idea to get information about which user has currently locked a file, you may find a different approach to address that issue by directly implementing this information about USERDOMAIN and USERNAME into the file locking processes. But that is separated from properties discussed here.
I just installed m4 on windows and had been offered <systemname>\<username> as initials, which is completely nonsense. If we are not able to pick the correct strings from the system (as md told), the fields should be empty. Please proceed here with a decision, this is still a showstopper for 3.2.
ok, reverted the change due to heavy resisistance :-) but a few remarks: @od,of: I don't think this is an security issue. It might be probably a privacy issue since personal data (login name and probably login domain) are disclosed. From my point of view the user have full control about these data so that I consider the general protection of personal data fullfilled. @md: there is no such system setting as initials in any computer system I know, so I can't take them from the system. But anyhow I agree that initials indicate some other thing than the login data, although it might be quite common, to use the initials as login name. @all: I still consider it useful to also reuse the login information in a document as this also applies to the User Name. @volkerme: I don't understand your comment at all, I don't think it is completely nonsense to use the [domainname|systemname]\username in a heterogene infrastructure. What about dropping the initial field at all ? anyhow, reverted that change as md decided.
mark as verified.