Apache OpenOffice (AOO) Bugzilla – Issue 60051
Macro: Password protection ignored in Run Macro dialog for user-libraries
Last modified: 2006-01-09 15:04:22 UTC
Reproduction: 1) Create a new password protected library below "My Macros" 2) Exit and restart the office 3) Open the macro organizer -> The protected library is colored differently than the accessible ones 4) Expand the node of the protected library -> The password dialog comes up 5) Enter incorrect password or cancel -> The library can neither be opened for editing nor any macros can be executed 6) Close the macro organizer 7) Open "Run Macros" -> There is no visual difference between protected libraries and accessible ones 8) Expand the node of the protected library -> No password dialog is displayed, macros can be executed I consider this a security breach and set the prio to 2 with target OOo 2.0.3
jsk: >>I consider this a security breach and set the prio to 2 with target OOo 2.0.3 why not set target to next release, which would be 2.0.2? The fix concerns security aspects..
Hi Max, i agree and i have already requested permission for 2.0.2 target. Joerg
set target 2.0.2
Sorry, but I don't agree at all. This "defect" is only a misunderstanding of the Basic password protection feature. It's a perfect example for the famous slogan: It's not a bug, it's a feature! :-) > Steps 1) to 4): Ok > 5) Enter incorrect password or cancel -> The library can neither be opened for editing nor any macros can be executed This indeed is a bug or at least not very nice (partly covered by task #i59247), but the problem is that the macros are _not_ displayed and can _not_ be excuted, because they should be visible and executable! See below... > 6) Close the macro organizer > 7) Open "Run Macros" -> There is no visual difference between protected libraries and accessible ones Correct, there's no reason for a visual difference here. > 8) Expand the node of the protected library -> No password dialog is displayed, macros can be executed That's how it should be. The only target of the Basic password protection feature is to protect the Basic source code. This allows a Basic programmer to give away a library for use without also publishing his sources. Of course his customer must be able to run the macros. That's why also the byte code is stored in a document containing a password protected library. > I consider this a security breach and set the prio to 2 with target OOo 2.0.3 Please don't mix up password protection with security. Security is to pro- tect the user against mean macros formatting his disk. Password protection on the other hand is to protect the macro (source) against the user not allowing him to analyse the ingenious algorithms developed by the macro's author in years of work. The Basic password feature has nothing to do with security and should not prevent the Basic macros to be executed. Quite the contrary, without the possiblity to execute (source) protected macros this feature would nearly be useless as for macro security (now really security) other mechanisms are available like Macro security levels, trusted source, signing etc. -> INVALID ab->jsk: You should know all this... :-)
Ok, i probably should know this, yes. (sigh) Closing.