Potential Security Threat: Are Protected Cells NOT Protected?

Build ID: 1:5.2.2-0ubuntu2.1
CPU Threads: 2; OS Version: Linux 4.8; UI Render: default; 
Locale: nl-NL (en_US.UTF-8); Calc: group

Steps to reproduce:

Create a table in Writer, fill in some cells and select those cells, and then choose the menu "Table : Protect Cells".

When you try to type some text into one of the protected cells, it pops up a Messagebox saying: “Read-Only Content. Write-protected content cannot be changed. No modifications will be accepted.

However you can still select some text inside the protected cell, drag the selection around, and drop it on the same cell or on another protected cell, then the content changes nonetheless.

Likewise in Calc the content of cells protected by "Tools : Protect Sheet..." can still be changed using this Drag&Drop technique, be it only within the same cell.

Could somebody reproduce this, and in that case could somebody with a Bugzilla account please file a bug-report about it?

Thanks in advance, lib

After some tests with LibO V5.4.0.1RC ‘Writer’ and ‘Calc’ I can confirm the statements in the OQ.

@librebel: Why don’t you go to the bugs site yourself? I did so some years ago, and in some cases unexperienced users posted questions to the effect that there was a bug, I also created a report for them. This was not to relief them from it, but to help to get more precise reports. (My first bug report was a tricky one and I did not very well with it.) But you don’t seem that unexperienced.

Thanks for your encouraging words @Lupp,

i have zero experience in filing an official bug report myself, but given the urgency to fix the flaw, which has now been confirmed by you, i shall open up an account at Bugzilla to report it.

Reported at bugs.documentfoundation.org

@Lupp: the status of this bug is now set to “NEED INFO” and needs confirmation from a newer version then Could you officially confirm it for version ?

Using LO ver and on Windows 8

As you say @librebel with a Table in a Writer document you can select text in a protected cell and drag it to another protected cell, breaking the protection. However I don’t think this is a security issue. When you protect cells you cannot supply a password so it is simple to unprotect cells. I think the feature is there to prevent accidental modification of cells that you don’t want altered. This feature is not provided by MS Word.

In a Calc spreadsheet again as you say you can select and drag text from a protected cell only back to the same cell and the contents appear to change. In my tests the contents of the cell do not in fact change as when you select another cell the original contents show in the cell. It only shows the changed contents until you move to another cell or save the sheet. When opened the original contents are there. When you are protecting cells you can untick in the Options - Allow all users of this sheet to: Select protected cells. Then protected cells cannot be selected.
You should also be aware that the password protection of cells in this way is not really secure. If you open the Calc file with an archive manager the protected cells are visible and can even be changed. No encryption is applied as it is if you password protect a document.

Edited 17/07/2017

@librebel I can confirm that using an archive program you can view or modify protected cells in a Calc sheet, and also in a MS Excel sheet. The data is not encrypted when using cell protection. You can also remove the password requirement altogether in this way. Perhaps that is why the word Protect rather than Secure is used. If you want to make the sheet Secure then use a file password in which case the sheet data is encrypted and cannot be viewed in an archive program.

Thank you @peterwt for these excellent points. Since protected cells in Calc do indeed change back to their original value after being modified by drag&drop, and since protected cells in Writer are not password-protected, i agree that it’s not a security issue. If the contents of password-protected Calc cells are indeed modifiable from the Archive Manager, then that would be security issue.