Apache OpenOffice (AOO) Bugzilla – Issue 32095
limit load password dialog to same length as save password to avoid confusion
Last modified: 2005-04-14 08:56:26 UTC
Our save with password dialog limits the user to 16 characters, attempting to enter more doesn't do anything. But the load with password dialog allows unlimited characters, an innocent user (ok I did it as well) can choose a password like "i have some spaces" for save which gets truncated to "i have some sp" relatively silently, on load "i have some spaces" is accepted as a password and the document fails to load. e.g. http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=127772 Would be very nice to limit the password being entered to 16characters as well. The following patch does that, but perhaps the modified password dialog is also used from other code that does not have such a 16 character limitation, requiring it to be set by the dialogs caller ?
Created attachment 16773 [details] patch to make load dialog password limit match save dialog
set target and "patch" status in sneaky attempt to subvert patch handling.
Hi Caolan, Sorry for not responding earlier, this issue was somehow lost from my intray. I think you discovered a bug here that needs thorough investigation, and not just your proposed patch. Thus, I'm changing the issue type to "defect", instead. Actually, I don't see any reason why the password length should be limited to 16 characters, at least technically this is not necessary (the actual key material of 16 bytes is generated as a hash value over the password, so the password could be of any length). mhu->mba: Could you please dispatch this issue to someone who is familar with all usages of the password dialog (mav?) and can apply a proper fix to this issue? Thanks, Matthias
Mikhail should be the right developer
The password dialog for loading must accept any password the user whants to enter, while the dialog for saving can introduce some restrictions. For example the password creation dialog that is shown on saving does not allow to enter a password shorter that 5 characters, but the loading dialog allows to enter even empty password. The reason for this is that theoretically OOo encrypted documents can be generated by third-party components and the office must be able to load such documents. The restriction for the password maximal length is there for historical reasons. I have ported it to the password creation dialog from the sfx code during dialog design and this restriction existed even in 5.2 code. Such a restriction was required in the new implementation to allow SO6.0 ( OOo1.0.x ) to load encrypted documents generated by newer versions since the old sfx approach had the password length limit even in loading password dialog. But the quiet ignoring of additional symbols in the password creation dialog makes the current behaviour errorneous. So in general there is no problem to remove the limit for the password except that SO6.0 ( OOo1.0.x ) will not be able to open documents encrypted with password longer than 16 characters. I am not sure whether it is acceptable. If it is not, the password dialog should probably output a warning that not more than 16 characters can be entered in this case ( although each new character is shoun by '*' symbol it is probably still not so recognizable that the overflowing characters are ignored ).
For now the preferable solution seems to be showing of the warning if user enters a password longer that 16 characters in the create password dialog. MAV->FL: Please take a look to the problem. This change will affect UI so it seems to be urgent. The possible scenario is following - if user enters the 17th character into create password dialog then the warning should be shown and the password field should be cleaned, so that user can retype a new version. In general it is possible to remove the limit for OASIS format and show the warning only for SO6.0 file format, since on storing it is clear which file format is used. But this warning should be shown from the dialog, and the dialog is activated by interaction handler, and the handler can already be used in some user scripts ( most of currently existing user scripts are oriented to the SO6.0 file format ). So the default behaviour of the dialog ( means it is used without additional information ) from my point of view should be as in case of SO6.0.
I have talked with GW about this issue and he told me that StarOffice 6.0 is already end of lived. So we don't have to take care about this issue. Furthermore I think we don't want to have a password length limitation for the new OpenDocument format, so please remove limitation also from Enter Password dialog on saving.
Fixed.
Please verify the issue. Now there should be no limit for maximal length of the password on storing. re-open issue and reassign to tm@openoffice.org
reassign to tm@openoffice.org
reset resolution to FIXED
Checked and verified in cws mav17 -> OK !
OK on Win ! -> closed !
ok on Linux and Solaris in m93
.