To comment on the following update, log in, then open the issue:
http://www.openoffice.org/issues/show_bug.cgi?id=44156
User ab changed the following:
What |Old value |New value
================================================================================
Assigned to|ab |tbe
--------------------------------------------------------------------------------
Status|STARTED |NEW
--------------------------------------------------------------------------------
------- Additional comments from [EMAIL PROTECTED] Wed Jul 20 05:21:13 -0700
2005 -------
ab->bmarcelly
If a security feature has a bug, it's not necessarily a security bug and it's
not necessarily critical. To your points:
3 - all modules names and all routine names of this library are now
visible.
You have not given any password.
That's how it should be. The only target of the Basic password protection
feature is to protect the Basic source code. This allows a Basic programmer
to give away a library for use without also publishing his sources. Of course
his customer must be able to run the macros. That's why also the byte code
is stored in the document.
6 - all modules names and routine names are now visible.
That's because the library is loaded. Routine names should be visible, same
reason as for 3.
7 - Edit. The contents of the modules are apparently empty.
ACK, that's not good. It should only be possible to open modules of
password protected libraries if the correct password has been entered.
8 - suppress Module1. Create another Module1 with your own routines
with the same names. Save and close the document.
Should also not be allowed.
9 - Now a call to one of the official routines of the protected library is
diverted to another one.
Ok, so what? You've modified the document and it behaves differently of
course. For me that's no security issue. The library password is no protec-
tion against modification. You can also delete a password protected library
and create a new, completely different one. Or you can create a completely
different document. If you want to manipulate a document you don't need
this bug. This is a problem related to signing and authentification and has
nothing to do with password protection that is only ment to prevent source
visibility. And you can't see any protected source due to this bug.
So it's "only" a usablity problem. If someone enters a wrong password for his
library he should get an error message and it should not be possible to open
protected modules in the Basic IDE as this also could lead to data loss by
overwriting the original modules.
ab->tbe: As agreed to you...
---------------------------------------------------------------------
Please do not reply to this automatically generated notification from
Issue Tracker. Please log onto the website and enter your comments.
http://qa.openoffice.org/issue_handling/project_issues.html#notification
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
