Bug 155419

Summary: PDF's created with the "export to PDF" option are flagged "as executable and may harm" when posted to Google Drive
Product: LibreOffice Reporter: Ton Kronos <tontentokronos>
Component: Printing and PDF exportAssignee: Not Assigned <libreoffice-bugs>
Status: NEW ---    
Severity: normal CC: buzea.bogdan, carlo.bertelli, mentoring, michael.stahl, mikekaganski, serval2412, vsfoote
Priority: medium Keywords: difficultyBeginner, easyHack, skillCpp
Version: 7.4.6.2 release   
Hardware: All   
OS: All   
See Also: https://bugs.documentfoundation.org/show_bug.cgi?id=156477
Whiteboard:
Crash report or crash signature: Regression By:
Bug Depends on:    
Bug Blocks: 103378    

Description Ton Kronos 2023-05-20 10:27:37 UTC 
When creating a pdf in LibreOffice with the "export to PDF" option, the resulting file is tagged as malicious in Google Drive.

Steps to reproduce:
1. Create a new document in LibreOffice and save it as PDF.
2. Upload it to Google Drive.
3. Get a link to share the pdf with anyone.
4. Paste the link to in a browser to download the file.
5. Google Drive shows a warning message: "This file is executable and may harm your computer".

This behavior is due to a string that LibreOffice inserts in the code of the pdfs. The string is /OpenAction [ 1 0 R /XYZ null null 0 ]. It would be nice to have this /OpenAction disabled by default.

In this post there is an analysis of a pdf created this way with LibreOffice: https://ask.libreoffice.org/t/google-drive-says-pdfs-created-with-libreoffice-are-executable-files/91094/21?u=eugenioh

In this other post there is a workaround: https://ask.libreoffice.org/t/google-drive-says-pdfs-created-with-libreoffice-are-executable-files/91094/25?u=eugenioh
Comment 1 Julien Nabet 2023-05-20 13:41:17 UTC 
Perhaps I wrongly read the links provided but the pb here is Google not LO.
I mean /OpenAction is ok here and doesn't do anything malicious.
Comment 2 Mike Kaganski 2023-05-20 15:38:55 UTC 
It is important to use the correct wording.

Google does not tag the files as "malicious files". It detects a code in the PDF which executes an *arbitrary* action *automatically* when the PDF is opened, and then informs the user about that fact, telling literally this:

> Google Drive can't scan this file for viruses.
> This file is executable and may harm your computer.

This same warning would appear for *any* executable file, and does not *claim* that the file is malicious, but warns that it executes something, and they don't know what.

This is reproducible. And it is unclear, why the *automatic action* is necessary for the *default* case, when all that we want is to show the very first page (using the default scale).

So, this issue could be fixed by making the code that adds the action conditional - not executing in case when the very first page is shown with default settings. The code is https://opengrok.libreoffice.org/xref/core/vcl/source/gdi/pdfwriter_impl.cxx?r=7ea34aa6#5305

and the condition could be simply 'm_aContext.InitialPage > 0'.

A separate improvement could be, if the dialog shown some infobar in case of other settings, which would add the action - to inform the user that "this PDF will include an OpenAction command, and can be flagged as executable by some programs".
Comment 4 Carlo Bertelli 2023-11-19 21:15:50 UTC 
This happened to me when I was using CAC signature. It's the first time and version 7.4.6.2 happens to do it consistently.
Italian certified email (PEC) stops messages with these attachments as well.
VirusTotal says: "The sandbox DOCGuard flags this file as: GREYWARE"