Issue 44156 - Basic : incorrect password loads protected macro library
Summary: Basic : incorrect password loads protected macro library
Status: CLOSED IRREPRODUCIBLE
Alias: None
Product: udk
Classification: Code
Component: code (show other issues)
Version: OOo 2.0 Beta
Hardware: All Windows XP
: P3 Trivial with 4 votes (vote)
Target Milestone: AOO PleaseHelp
Assignee: ab
QA Contact: issues@udk
URL:
Keywords:
: 53709 59247 (view as issue list)
Depends on:
Blocks:
 
Reported: 2005-03-05 13:47 UTC by bmarcelly
Modified: 2009-02-19 08:06 UTC (History)
1 user (show)

See Also:
Issue Type: DEFECT
Latest Confirmation in: ---
Developer Difficulty: ---


Attachments

Note You need to log in before you can comment on or make changes to this issue.
Description bmarcelly 2005-03-05 13:47:42 UTC
- Steps to reproduce the bug -
1 - create a new Writer document
2 - with Basic macro organizer, create library named : secretLib
3 - protect this library with password : OpenOffice
4 - edit : you are in Module1 with an empty macro Main. Change the name to : 
MainSecret. Add another module Module2 containing macro Main2.
5 - save the document ( .odt ), close the document
6 - open the document
7 - with Basic macro organizer, click on + at left of secretLib. You are asked for a 
password. Give this password : wrongpass
8 - Consequences : 
 a - no indication that the password is incorrect
 b - in the same organizer first window the library is now loaded and its modules are 
now visible
 c - but the macros of these modules are not visible
 d - you can now add more modules or macros (through Organizer... window)

This behaviour is incorrect.
Comment 1 kay.ramme 2005-03-07 10:14:29 UTC
KR->AB: Please take care of this.
Comment 2 ab 2005-03-18 15:36:59 UTC
I could reproduce this but don't consider this to be critical -> OOo Later
Comment 3 bmarcelly 2005-03-20 20:04:44 UTC
Not critical as concerns security ? Read this (continued from my first message)

1 - Open the document containing the library secretLib
2 - Tools > Macros > Run > click on + sign next to secretLib icon
3 - all modules names and all routine names of this library are now visible. You have 
not given any password.
4 - Cancel the Macro Selector dialog. Tools > Macros > Organize Macros > OOo Basic
5 - enter a false password for secretLib
6 - all modules names and routine names are now visible. 
7 - Edit. The contents of the modules are apparently empty.
8 - suppress Module1. Create another Module1 with your own routines with the same 
names. Save and close the document.
9 - Now a call to one of the official routines of the protected library is diverted to 
another one.
Comment 4 ab 2005-07-20 13:21:13 UTC
ab->bmarcelly
If a security feature has a bug, it's not necessarily a security bug and it's 
not necessarily critical. To your points:

    3 - all modules names and all routine names of this library are now visible. 
    You have not given any password.

That's how it should be. The only target of the Basic password protection
feature is to protect the Basic source code. This allows a Basic programmer 
to give away a library for use without also publishing his sources. Of course 
his customer must be able to run the macros. That's why also the byte code
is stored in the document.

    6 - all modules names and routine names are now visible. 

That's because the library is loaded. Routine names should be visible, same
reason as for 3.

   7 - Edit. The contents of the modules are apparently empty.

ACK, that's not good. It should only be possible to open modules of 
password protected libraries if the correct password has been entered.

    8 - suppress Module1. Create another Module1 with your own routines 
   with the same names. Save and close the document.

Should also not be allowed.

   9 - Now a call to one of the official routines of the protected library is 
   diverted to another one.

Ok, so what? You've modified the document and it behaves differently of
course. For me that's no security issue. The library password is no protec-
tion against modification. You can also delete a password protected library
and create a new, completely different one. Or you can create a completely
different document. If you want to manipulate a document you don't need
this bug. This is a problem related to signing and authentification and has
nothing to do with password protection that is only ment to prevent source
visibility. And you can't see any protected source due to this bug.

So it's "only" a usablity problem. If someone enters a wrong password for his
library he should get an error message and it should not be possible to open
protected modules in the Basic IDE as this also could lead to data loss by
overwriting the original modules.

ab->tbe: As agreed to you...
Comment 5 thomas.benisch 2005-12-02 14:42:24 UTC
TBE->AB: As discussed to you.
Comment 6 ab 2006-05-10 12:47:29 UTC
Started
Comment 7 ab 2006-05-19 08:11:15 UTC
*** Issue 59247 has been marked as a duplicate of this issue. ***
Comment 8 ab 2006-05-19 08:15:35 UTC
*** Issue 53709 has been marked as a duplicate of this issue. ***
Comment 9 ab 2009-02-19 08:02:12 UTC
Not reproducible any more in dev300 m41. Now when in 7 a wrong
password is used an error message occurs and the modules are
not visible. Obviously the password behavior has been changed 
in the scope of another issue. Setting this one to WORKSFORME.
Comment 10 ab 2009-02-19 08:06:39 UTC
CLOSED