Issue 32095

Summary: limit load password dialog to same length as save password to avoid confusion
Product: ucb Reporter: caolanm
Component: codeAssignee: thorsten.martens
Status: CLOSED FIXED QA Contact: issues <issues.openoffice.org>
Severity: trivial    
Priority: P3 CC: bettina.haberer, issues, Mathias_Bauer, matthias.huetsch, mikhail.voytenko
Version: current   
Target Milestone: OOo 2.0   
Hardware: All   
OS: All   
Issue Type: DEFECT Latest Confirmation on: ---
Developer Difficulty: ---
Attachments:
Description Flags
patch to make load dialog password limit match save dialog none

Description caolanm 2004-07-26 13:57:45 UTC
Our save with password dialog limits the user to 16 characters, attempting to
enter more doesn't do anything. But the load with password dialog allows
unlimited characters, an innocent user (ok I did it as well) can choose a
password like "i have some spaces" for save which gets truncated to "i have some
sp" relatively silently, on load "i have some spaces" is accepted as a password
and the document fails to load. e.g.
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=127772

Would be very nice to limit the password being entered to 16characters as well.
The following patch does that, but perhaps the modified password dialog is also
used from other code that does not have such a 16 character limitation,
requiring it to be set by the dialogs caller ?
Comment 1 caolanm 2004-07-26 14:09:19 UTC
Created attachment 16773 [details]
patch to make load dialog password limit match save dialog
Comment 2 caolanm 2004-07-26 14:37:58 UTC
set target and "patch" status in sneaky attempt to subvert patch handling.
Comment 3 matthias.huetsch 2005-02-14 17:21:54 UTC
Hi Caolan,

Sorry for not responding earlier, this issue was somehow lost from my intray.

I think you discovered a bug here that needs thorough investigation, and not
just your proposed patch. Thus, I'm changing the issue type to "defect", instead.

Actually, I don't see any reason why the password length should be limited to 16
characters, at least technically this is not necessary (the actual key material
of 16 bytes is generated as a hash value over the password, so the password
could be of any length).

mhu->mba: Could you please dispatch this issue to someone who is familar with
all usages of the password dialog (mav?) and can apply a proper fix to this issue?

Thanks,
Matthias
Comment 4 Mathias_Bauer 2005-02-16 10:12:36 UTC
Mikhail should be the right developer
Comment 5 mikhail.voytenko 2005-02-16 12:52:55 UTC
The password dialog for loading must accept any password the user whants to
enter, while the dialog for saving can introduce some restrictions. For example
the password creation dialog that is shown on saving does not allow to enter a
password shorter that 5 characters, but the loading dialog allows to enter even
empty password.
The reason for this is that theoretically OOo encrypted documents can be
generated by third-party components and the office must be able to load such
documents.

The restriction for the password maximal length is there for historical reasons.
I have ported it to the password creation dialog from the sfx code during dialog
design and this restriction existed even in 5.2 code. Such a restriction was
required in the new implementation to allow SO6.0 ( OOo1.0.x ) to load encrypted
documents generated by newer versions since the old sfx approach had the
password length limit even in loading password dialog.
But the quiet ignoring of additional symbols in the password creation dialog
makes the current behaviour errorneous.

So in general there is no problem to remove the limit for the password except
that SO6.0 ( OOo1.0.x ) will not be able to open documents encrypted with
password longer than 16 characters. I am not sure whether it is acceptable. If
it is not, the password dialog should probably output a warning that not more
than 16 characters can be entered in this case  ( although each new character is
shoun by '*' symbol it is probably still not so recognizable that the
overflowing characters are ignored ).
Comment 6 mikhail.voytenko 2005-02-16 16:43:51 UTC
For now the preferable solution seems to be showing of the warning if user
enters a password longer that 16 characters in the create password dialog.

MAV->FL: Please take a look to the problem. This change will affect UI so it
seems to be urgent. The possible scenario is following - if user enters the 17th
character into create password dialog then the warning should be shown and the
password field should be cleaned, so that user can retype a new version.
In general it is possible to remove the limit for OASIS format and show the
warning only for SO6.0 file format, since on storing it is clear which file
format is used. But this warning should be shown from the dialog, and the dialog
is activated by interaction handler, and the handler can already be used in some
user scripts ( most of currently existing user scripts are oriented to the SO6.0
file format ). So the default behaviour of the dialog ( means it is used without
additional information ) from my point of view should be as in case of SO6.0.
Comment 7 frank.loehmann 2005-02-17 14:22:12 UTC
I have talked with GW about this issue and he told me that StarOffice 6.0 is
already end of lived. So we don't have to take care about this issue.
Furthermore I think we don't want to have a password length limitation for the
new OpenDocument format, so please remove limitation also from Enter Password
dialog on saving.
Comment 8 mikhail.voytenko 2005-02-17 16:29:15 UTC
Fixed.
Comment 9 mikhail.voytenko 2005-03-07 12:23:05 UTC
Please verify the issue. Now there should be no limit for maximal length of the
password on storing.

re-open issue and reassign to tm@openoffice.org
Comment 10 mikhail.voytenko 2005-03-07 12:23:12 UTC
reassign to tm@openoffice.org
Comment 11 mikhail.voytenko 2005-03-07 12:23:18 UTC
reset resolution to FIXED
Comment 12 thorsten.martens 2005-03-09 15:09:58 UTC
Checked and verified in cws mav17 -> OK !
Comment 13 thorsten.martens 2005-04-14 08:49:52 UTC
OK on Win ! -> closed !
Comment 14 mci 2005-04-14 08:53:49 UTC
ok on Linux and Solaris in m93
Comment 15 thorsten.martens 2005-04-14 08:56:26 UTC
.