Excel sheet protection not enforced in OnlyOffice

[deajan]

Do you want to request a feature or report a bug? Looks like a bug to me (sorry if being a feature). I think it's a bug because of the securiy issues this may raise, meaning that Excel Workbook protection can simply be bypassed, exposing potential confidential data.

What is the current behavior? When opening a protected excel file, hidden sheets can not be unhidden since the menu option is grey, unless the protection is removed. When opening the same file in OnlyOffice Spreadsheet Editor v5.4.1 or ,v6.1.1, the hidden sheets can be unhidden (the menu works).

If the current behavior is a bug, please provide the steps to reproduce and if possible a minimal demo of the problem.

1. Create a new file with Excel 2010/2013/2016/2019 or O365
2. Add another sheet
3. Right click on sheet, hide it
4. Protect the file with a password (Review> Protect Workbook)
5. Try to unhide sheet (doesn't work)
6. Open the same file in Onlyoffice
7. Try to unhide sheet, works

What is the expected behavior? Grey out the hide/unhide menu so people

Did this work in previous versions of DocumentServer? No

DocumentServer version: v5.4.1 and v6.1.1

Operating System: Server CentOS 8.3 x64 w/ php 7.3 Client Windows 10 2009 x64

Browser version: Latest Opera, Latest Brave tried.

[stavros-k]

Well.. they have it planned to add this feature since 2017... This feature is one of the most used feature in sheets (lock sheets, or cells), i don't get it why it's in this low priority.. :/ https://dev.onlyoffice.org/viewtopic.php?f=44&t=10677&p=44297&hilit=protected#p44297

[deajan]

@stavros-k Thanks, indeed that's some lowkey customer ignoring. I've even searched the code in order to make a PR, but hell that's not my languages used here. So I read the thread, Collabora has this feature ? If so, I'll have to move to collabora since this is the most important feature to us. Excel online does it too, but they only allow to fill documents when you can also download them, which is exactly what I need to prevent, eg no download, no hidden sheet view, but allow customer to fill cells.

Thanks.

[stavros-k]

@stavros-k Thanks, indeed that's some lowkey customer ignoring. I've even searched the code in order to make a PR, but hell that's not my languages used here. So I read the thread, Collabora has this feature ? If so, I'll have to move to collabora since this is the most important feature to us. Excel online does it too, but they only allow to fill documents when you can also download them, which is exactly what I need to prevent, eg no download, no hidden sheet view, but allow customer to fill cells.

Thanks.

Yes collabora has this feature, but is limited on excel fucntions, also overtime shrinks all the columns :/ I don't know if you can disable download. But get ready for not so good performance. Collabora does evrything server side and sends an image to client. You'll need a beefy machine if there is a lot of users.

[deajan]

Having read the onlyoffice code, I saw that the spreadsheet app is in a app.js file, which is executed client side.

Security wise, there would still be ways to bypass the protection. Also, since everything runs client side, onlyoffice must sent the file (including hidden sheets references to them work) to the client, rendering security a myth.

@ Onlyoffice team: Can you confirm ?

[stavros-k]

In my case protected sheets are only needed to not mess up the structure / formulas, more for ease of use and not having to be extra careful when entering data.

None of my user will try to find a hacky way to bypass this. I don't have any data that I don't want them to see, only need to protect formulas from being deleted accidentally.

This might be a security issue for others and I understand, but an option to enable it with a warning would be great. Until the devs can find a way to do it securely.

[cpot]

Sorry perhaps i am wrong, but is this a duplicate of https://github.com/ONLYOFFICE/DocumentServer/issues/488

FYI, our users asked us to develop a function for our GoFAST DigitalWorkplace to forbid to open some documents including that kind with Onlyoffice until those important features are implemented

[Rita-Bubnova]

Might this issue is depends to #488. But I created new issue 48926 in our private issue tracker for discuss it with our team.

[deajan]

It would be nice to have a statement about security from onlyoffice team about this.

[ShockwaveNN]

@deajan me and Rita has no qualification on commenting about possible problem you're describing with security, we asked our dev team to take a look and comment

[stavros-k]

Bump

[ShockwaveNN]

This is rather complicated task, so there is no news

No need to bump issue, as soon there will be - we report them

[deajan]

@ShockwaveNN Agreed that the problem itself might be diffucult without any ETA, but you said

we asked our dev team to take a look and comment

Still looking at least for that comment.

[ShockwaveNN]

@deajan Sorry, I cannot force anyone to do public comments, especially if I myself do not fully understand your question

[deajan]

@ShockwaveNN Okay, thanks at least for the honest answer ;)

[ShockwaveNN]

@deajan I can assure you our team work very hard to make our product better

But first of all we are commercial organization, 200+ people and only way to functional properly - to implement features of paying customers first, to have money to release our product as open source

We are definitely implement feature you've requested in feature, but without any time frame And I think after first round of implementation we should talk about security concerns

[Rita-Bubnova]

The issue 48926 in our private issue tracker fixed. I checked in version 7.2.0.202.

[ShockwaveNN]

Closing this issue, but feel free to reopen or better - to create a new one if not all parts of issue are fixed