[jira] [Commented] (PDFBOX-4839) Iphone IOS able to open password PDF file without password

Wed, 20 May 2020 05:48:10 -0700 


    [ 
https://issues.apache.org/jira/browse/PDFBOX-4839?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17112150#comment-17112150
 ] 

Michael Klink commented on PDFBOX-4839:
---------------------------------------

Strictly speaking it is unclear what the correct behavior of conforming PDF 
viewers shall be.

{panel:title=ISO 32000-1, section 7.6.3.1}
If a user attempts to open an encrypted document that has a user password, the 
conforming reader shall first try to authenticate the encrypted document using 
the padding string defined in 7.6.3.3, "Encryption Key Algorithm" (default user 
password):

* If this authentication attempt is successful, the conforming reader may open, 
decrypt and display the document on the screen.

* If this authentication attempt fails, the application should prompt for a 
password. Correctly supplying either password (owner or user password) should 
enable the user to open the document, decrypt it, and display it on the screen.
{panel}

The PDF has a user password. Thus, an attempt to decrypt using the default 
password shall be made. But shall an attempt be made using the default password 
only as user password? Or shall also an attempt be made using the default 
password as owner password? The former option seems natural from the context 
but isn't clearly spelled out, so the second option also is a possible 
interpretation of the specification.

---

This use case is a bit academical, though: It doesn't make sense to require a 
non-trivial password for restricted (user) access and a trivial (empty) one for 
full (owner) access.


> Iphone IOS able to open password PDF file without password
> ----------------------------------------------------------
>
>                 Key: PDFBOX-4839
>                 URL: https://issues.apache.org/jira/browse/PDFBOX-4839
>             Project: PDFBox
>          Issue Type: Bug
>          Components: Crypto
>    Affects Versions: 1.8.16
>         Environment: Latest version of Apple IOS on Iphone 8s
>            Reporter: Warren Nash
>            Priority: Minor
>              Labels: security
>         Attachments: 201912Cert-10000048.pdf
>
>   Original Estimate: 4h
>  Remaining Estimate: 4h
>
> Able to create encrypted password PDF file.
>  # Able to use password PDF file on PC by entering password
>  # Able to use password PDF file on Android Phone by entering password
>  # Apply IOS open PDF file and then can see all contents of PDF file.  No 
> password is required.
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to