Okular stores form data in a different directory (possible leak of private data)

Bug #521533 reported by Dan on 2010-02-13
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
KDE Graphics
Unknown
Medium
kdegraphics (Ubuntu)
Undecided
Unassigned

Bug Description

Binary package hint: okular

Okular has a "feature" to allow users to fill out forms within PDF files. It appears to work fine, if you just use Okular - you may or may not notice the oddity that it doesn't have a "Save" menu option, but it seems to save anyway.

You can close the PDF, reopen it with Okular, and your form data is still there.

But then you open it with Adobe Acrobat, and your form data is NOT there.

It turns out that Okular has a horribly conceived "feature" to let you store form data - but it puts the form data in a file other than the PDF document - it puts it under ~user/.kde/share/apps/okular/docdata.

Not only is this a stupidly implemented feature, it is a huge security hole for those of us that do things like fill out tax forms.

When I fill out my tax form PDF, I fully expect that my data is going to be saved within the PDF. So when I lock the PDF file inside of an encrypted volume, my data is secure.

Imagine my surprise, to find all of my tax data floating out in user/.kde/share/apps/okular/docdata/randomFileName.pdf.xml

Okular should have this "feature" immediately stripped from ubuntu to protect Ubuntu's users from this poorly designed application.

visibility: private → public
Marc Deslauriers (mdeslaur) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find.

security vulnerability: yes → no

Hi there!

Thanks for reporting this bug! Your bug seems to be a problem with the KDE program itself, and not with our KDE packages. While we appreciate your issue, it would be better if it was tracked at https://bugs.kde.org, so that the KDE developers can deal with this speedily and have direct communication with you as the reporter for more effective debugging.

Thanks!

affects: okular (Ubuntu) → kdegraphics (Ubuntu)
Changed in kdegraphics (Ubuntu):
status: New → Invalid

Created attachment 57582
IRS form W9

Version: 0.11.1 (using KDE 4.5.3)
OS: Linux

I just realized that Okular is storing my form data in a file that is not the PDF itself. This file is hard to find and means that my social security number is stored in some random file on my machine if I fill out an IRS form W9 with Okular. This seems less than ideal from a UX perspective.

I could not find a way to delete the data short of deleting the files from the command line. Not storing the data with the PDF is really user hostile in my opinion.

Also, when I "Save As..." a PDF with filled out forms, only the first field appears to be saved in the new PDF. For the record, Evince appears to have this same bug. This may be an indication of a bug in the poppler library.

Reproducible: Always

Steps to Reproduce:
1. Open fw9.pdf IRS form.
2. View forms
3. Type in data
4. Close Okular.
5. look in ~/.kde/share/apps/okular/docdata/

Actual Results:
There are files containing potentially private data in that directory, and it's hard for a casual user to delete them.

Expected Results:
The user should be able to "Save as..." to a new file and just have a copy of the PDF with the filled in form data.

OS: Linux (x86_64) release 2.6.37-1-amd64
Compiler: cc

I just noticed the same issue. I had stored some filled out forms on an encrypted drive. I ran into a bug where the fields I entered didn't weren't being displayed after being saved (not even an empty field). I figured the file had been corrupted so I copied the original blank form over the filled out one. When I opened it all the information I had entered into the form was there despite the file having been overwritten. After looking around I found it had been written to .kde/share/apps/okular/docdata - on an unencrypted drive. This was quite startling to me and not what I expected.

I can understand if there are limitations to the PDF format that prevent you from storing the data in the PDF file itself, however you should at least inform the user of where the data is being stored before writing it. Preferably, it should be stored in the same directory as the PDF as well.

Another limitation of doing it this way is that it appears impossible to have multiple copies of the same form filled out differently, even if saved in different directories. For example, I filled out my tax forms, and then created a new directory with the copied blank forms to do my girlfriend's taxes. However, when I opened them they had my value stored in them.

The workaround was to rename the forms and then edit them, but it would match user expectations better if each copy of the form had it's own set of values.

Finally, I do think the priority on this bug should be higher as it relates to user privacy/security.

Agree with #2. I know the devs are aware of this because there are other issues regarding the opening files and having the form remain being filled out (intentional feature). However, unsure if they are aware of the security implications of this. Developers have any comment?

I ran into this problem too recently. In one department at my workplace, I set up a computer where employees can read PDFs and fill out PDF forms. There is one particular form that each of them has to fill out every two weeks. I discovered that I could avoid the problem of each person seeing (and having to delete) the details entered by the previous person by renaming the pdf file to a random temporary filename before opening it. Then I realized that by serving the pdf file from a local webserver, and having them open the pdf from a link in firefox, I would get the random temporary filename for free without having to script it. It is certainly a kludge, but it seems pretty usable for now :)

summary: - Bad data handling -> Security Hole
+ Okular stores form data in a different directory (possible leak of
+ private data)

Besides form data also annotations were served in that extra docdata xml file.

For annotations this has been fixed recently: https://bugs.kde.org/show_bug.cgi?id=151614

I haven't had time yet to read the whole lengthy discussion there or to install the new version to see whether /how it affects form data.

Changed in kdegraphics:
importance: Unknown → Medium
status: Unknown → New

Have just been bitten by this as well. The form I returned did not contain any form data.

A user should reasonably expect that form data is saved with the form, as this is what other pdf viewers do, and this is what the "File->Save As" option suggests it does. For a long form that has that has taken the user days to fill in, this is definitely an unexpected and unwelcome bug.

popper 0.22.1
okular 0.16.0 on kde 4.10

*** This bug has been confirmed by popular vote. ***

Marcus your problem has nothing to do with this bug, Warren is complaining about the data leakage into his own home folder.

What you are facing has nothing to do with this. So please open a separate bug about it.

To quote my original description:

Expected Results:
The user should be able to "Save as..." to a new file and just have a copy of the PDF with the filled in form data.

I believe this is exactly what Marcus was asking for.

Then you used a wrong subject and i decided to ignore this bug, "Save as..." should and does work here, please, i'm attaching a filled in (just the first two lines) with okular of the file you attached that opens fine in Adobe Reader and shows the data

Created attachment 78620
Filled in file

With "Hola" and "Pepe" in the first two lines

FWIW that filled in file was created with poppler 0.23 and can't be opened with 0.22 or older :-/ But that's a bug of those old versions, you can open it with Adobe Reader to see it working

It's the same bug, just a different title. Instead of saving the form data to the PDF, it gets saved externally.

Happy to hear it's solved in a newer version of poppler. 0.23 is the development branch of what will become 0.24?

Oh no, 0.22 works too, i just created it with 0.23 because it was what i had installed, let me attach one created with 0.22

Created attachment 78638
Filled file with poppler 0.22

The must be something different in our environments then. I'm using opensuse 12.3, okular 0.16.0 on KDE 4.10.0. Is there a compile-time option to enable this in poppler or okular?

I downloaded your second attachment and I can see the form data you have entered. I add my own form data and save, and when I close okular and reopen the same file, the text is there. But my text is saved externally. If I do the following, the form data reverts to your text

> mv morsa.pdf morsa1.pdf
> okular morsa1.pdf

and the form data I had saved is only visible in .kde4/share/apps/okular/docdata/107650.morsa.pdf.xml

Hello, Archlinux, kde 4.10.2, okular 0.16.2, I confirm I can open morsa.pdf and see the filled in fields(!), file elefante.pdf fails to even open.

@Marcus:
I confirm mv file and open keeps the filled in data. (Note difference between Save as.., and Save a copy)

Backends here:

$ pacman -Qs poppler
local/poppler 0.22.2-1
    PDF rendering library based on xpdf 3.0
$ pacman -Qs ghostscript
local/ghostscript 9.07-1
    An interpreter for the PostScript language

ghostscript is mentioned in Okular as backend.

It would be perfect if forms started to work! :)

Created attachment 78649
pdf with notes and drawing

Btw, if it helps, taking notes (drawing, stamps, highlighting etc) saves properly. Please verify painting2.pdf
Maybe the forms could be done in same way.

Marcus i can't help you here, i've proven it works as it has worked for a long time to be honest i should close this bug since it's basically a weird worded bug and people is just commenting on it with unrelated comments, if it doesn't work for you, you're doing something wrong or opensuse compiled something wrong, but not sure how can i help you debug it.

Changed in kdegraphics:
status: New → Unknown

It seems that when I fill out a form with Okular (with poppler 0.22), it opens in Okular when I rename it or move it to another computer. But no matter what, it doesn't open in Adobe Reader.

(In reply to comment #20)
> It seems that when I fill out a form with Okular (with poppler 0.22), it
> opens in Okular when I rename it or move it to another computer. But no
> matter what, it doesn't open in Adobe Reader.

Please use "File -> Save as..." to save filled data with your PDF file.

I used save as, but I think it only happens with some PDF files. The tax form works perfectly, but I am attaching a file for which the filled out forms only appear in Okular, but not Adobe Reader.

Created attachment 80639
File for which forms only appear in Okular, not Adobe Reader

FoxIt Reader (under wine) shows filled forms.

It can be a bug in Adobe Reader (tested version XI (11.0.03), also under wine).

I am attaching the same form filled with Adobe.

Created attachment 80647
Same form filled out in Adobe

This form opens in both Okular and Adobe.

Created attachment 80666
XFA-warning

(In reply to comment #23)
> Created attachment 80639 [details]
> File for which forms only appear in Okular, not Adobe Reader
Yes, it's known issue. Basically that file uses a newer format to store form data, which is currently unsupported by poppler (and probably won't be for a long time, because it's very complex).
However, Okular from 4.10 with poppler 0.22 should warn you (see attached screen), doesn't it?

No I don't get that warning (using KDE 4.10.3), but I found a workaround, which is to print the file to a PDF, which opens with Adobe. And now I'm going to do a "sudo apt-get purge acroread acroread-bin". (When I installed it 2 days ago, it created a file located in / called C:\nppdf32Log\debuglog.txt)

This is obnoxious. My partner sent me a file with forms filled. I changed them. There's NO WAY to keep having editable forms and send her back the file with the changes!

I tried "save as" and still get the old data there. I had to do it as a print, which means she then manually updates in her program.

This situation is horrible.

(In reply to comment #29)
> This is obnoxious. My partner sent me a file with forms filled. I changed
> them. There's NO WAY to keep having editable forms and send her back the
> file with the changes!
>
> I tried "save as" and still get the old data there. I had to do it as a
> print, which means she then manually updates in her program.
>
> This situation is horrible.

This is not the way to report bugs. Please give developers some information about your system (name and version), version of Okular and version of Poppler libraries (can be determined with "pdftops -v" command in console or using your favorite package manager).

BTW, just works here (even for XFA documents if Foxit reader used).

(In reply to comment #30)
> (In reply to comment #29)
> > This is obnoxious. My partner sent me a file with forms filled. I changed
> > them. There's NO WAY to keep having editable forms and send her back the
> > file with the changes!
> >
> > I tried "save as" and still get the old data there. I had to do it as a
> > print, which means she then manually updates in her program.
> >
> > This situation is horrible.
>
> This is not the way to report bugs. Please give developers some information
> about your system (name and version), version of Okular and version of
> Poppler libraries (can be determined with "pdftops -v" command in console or
> using your favorite package manager).
>
> BTW, just works here (even for XFA documents if Foxit reader used).

Sorry, I just assumed this was the same as the original bug, i.e. an intentional and flawed design. I didn't think this was behaving differently from intended, I thought the issue was simply that the intention was a bad one.

If you intend it to actually work reasonably (which I'd hope), and it is something about my system, well: I'm on KXStudio, which is a derivative of Ubuntu. I'm using standard KDE 4.11.2 and Okular 0.17.2 and pdftops 0.18.4.

To clarify: if I open and change the forms myself, they persist on my machine. If I send the form as an e-mail to someone else, they lose my form changes. If I "save as" on my own machine, the new file reverts to the old form data and loses my changes even on my machine. Note that this is a case where the file I got from someone else started with some form data already, entered in some program other than Okular, and I was changing it.

(In reply to comment #31)
> (In reply to comment #30)
> > (In reply to comment #29)
> > > This is obnoxious. My partner sent me a file with forms filled. I changed
> > > them. There's NO WAY to keep having editable forms and send her back the
> > > file with the changes!
> > >
> > > I tried "save as" and still get the old data there. I had to do it as a
> > > print, which means she then manually updates in her program.
> > >
> > > This situation is horrible.
> >
> > This is not the way to report bugs. Please give developers some information
> > about your system (name and version), version of Okular and version of
> > Poppler libraries (can be determined with "pdftops -v" command in console or
> > using your favorite package manager).
> >
> > BTW, just works here (even for XFA documents if Foxit reader used).
>
> Sorry, I just assumed this was the same as the original bug, i.e. an
> intentional and flawed design. I didn't think this was behaving differently
> from intended, I thought the issue was simply that the intention was a bad
> one.
>
> If you intend it to actually work reasonably (which I'd hope), and it is
> something about my system, well: I'm on KXStudio, which is a derivative of
> Ubuntu. I'm using standard KDE 4.11.2 and Okular 0.17.2 and pdftops 0.18.4.
>
> To clarify: if I open and change the forms myself, they persist on my
> machine. If I send the form as an e-mail to someone else, they lose my form
> changes. If I "save as" on my own machine, the new file reverts to the old
> form data and loses my changes even on my machine. Note that this is a case
> where the file I got from someone else started with some form data already,
> entered in some program other than Okular, and I was changing it.

It seems that poppler libraries in your system are too old (Okular itself is up-to-date). You need to install at least poppler-0.20 (or better 0.22) to have reliable forms and annotation editor which can save the data in PDF. Try to find some PPA with newer version (Debian Sid has 0.18.4, Ubuntu 13.04 has 0.20.5 and Ubuntu 13.10 has 0.24.1). Sorry.

Please take into account that some other applications (e.g. Inkscape) can be dependent on the old version of poppler, so the safest way is to build and install libraries on your own (it is not hard at all, so they do not break anything).

> It seems that poppler libraries in your system are too old (Okular itself is
> up-to-date). You need to install at least poppler-0.20 (or better 0.22) to
> have reliable forms and annotation editor which can save the data in PDF.
> Try to find some PPA with newer version (Debian Sid has 0.18.4, Ubuntu 13.04
> has 0.20.5 and Ubuntu 13.10 has 0.24.1). Sorry.
>
> Please take into account that some other applications (e.g. Inkscape) can be
> dependent on the old version of poppler, so the safest way is to build and
> install libraries on your own (it is not hard at all, so they do not break
> anything).

Oh how strange, thank you. I will figure this out! Sorry to have made assumptions about things…

I've used "save a copy" accidentally, not realising that this was fundamentally different to "save as". In a lot of programs these both create a new file, but the former leaves you editing the original, while the latter allows to keep editing the newly created file.

Anyway, I've now realised that there is potentially a lot of private data (e.g. credit card information) stored in plain text on my computer. It seems that some of the information in ~/.kde/share/apps/okular/docdata/ is about the last-used zoom/position of documents? How can I find which of these documents contains form data?

*** Bug 343852 has been marked as a duplicate of this bug. ***

Real problem is that okular violates pdf specification: section "8.6.6 Forms Data Format" of PDF reference: http://partners.adobe.com/public/developer/en/pdf/PDFReference16.pdf

The standard way to store forms is to write the form data into the special section in the same pdf file.

Current way is prone to data loss and confusion, because users will send out the pdf assuming that form is there, when it isn't. Currently form data is implicitly attached to the current pdf file name, which is counter-intuitive.

I would put the high priority on this, because the major user visible function malfunctions due to misimplementation.

*** Bug 357741 has been marked as a duplicate of this bug. ***

I also stumbled about the fact that it seems to be impossible to have multiple instances of the same filled in form under the same file name and got the impression that "Save as..." does not work. After some experimenting I found out the problem with "Save as...":

There's two places where form data is stored: .kde/* and the pdf-file itself. Data is always saved to .kde/* (attached to filename?). If you use "Save as" it's also stored to the file. The problem is that this is not visible to the user and that .kde/* seems to have precedence. If you want to fill the same form twice you can easily run into problems:

Case a: Since form data is visible after closing, reopening, or moving the file, the user assumes that it's stored inside of the pdf. To fill a form a second time he copies the filled in form into a new location and changes the necessary data. Everything seems to work, but if he reopens the original file all it's data is changed to what he entered in the new place.

Case b: The user is aware that data is stored in the file only if he used "Save as". After filling the form the first time he uses "Save as". To fill the form a second time he copies the filled in form into a new location and changes the necessary data and uses "Save as" again. Now different data is saved in both versions of the file. But if he opens version 1 again, he sees the changes he did in version 2. The reason for this is that by changing version 2, the data in .kde/* is changed and this seems to have precedence when viewing version 1. If you delete th corresponding file in .kde/* you see what's stored in the file.

In both cases the user seems to have lost data. In a) this is true, in b) his data is just not visible.

Since I stumbled about this again: The following minor changes would increase usability of forms a lot since they make the behaviour of Okular more transparent.

a) Add a menu entry "save form data" that makes Okular store the data in the file itself.
b) When the user tries to close a filled in form without explicitly saving it: Warn the user that the form data is not stores in the file (but only cached somewhere else) and ask if she/he want's to save now.
c) Always give precedence to data saved in the file itself.

(In reply to Carsten Gräser from comment #40)
> Since I stumbled about this again: The following minor changes would
> increase usability of forms a lot since they make the behaviour of Okular
> more transparent.
>
> a) Add a menu entry "save form data" that makes Okular store the data in the
> file itself.
> b) When the user tries to close a filled in form without explicitly saving
> it: Warn the user that the form data is not stores in the file (but only
> cached somewhere else) and ask if she/he want's to save now.
> c) Always give precedence to data saved in the file itself.

Carsten, the problem is that there is no code that saves to a file. There should be two choices:
* Saving to a pdf file itself
* Saving to a separate pdf file (according to the pdf spec)
But somebody for some unknown reason implemented writing it in the proprietary format into ~/.kde/share/apps/okular/docdata/ that makes okular unusable for filling forms. Nobody needs the function to save forms under ~/.kde

Yuri, this is not correct. Okular can in principle save the data to the pdf. But the interplay of this with saving to and loading from .kde/... is not very intuitive.

(In reply to Carsten Gräser from comment #42)
> Yuri, this is not correct. Okular can in principle save the data to the pdf.
> But the interplay of this with saving to and loading from .kde/... is not
> very intuitive.

What does it mean "can in principle"? Is the code saving it to the pdf there or not there? If it is there, can you send the link (line numbers)?

(In reply to Yuri from comment #43)
> (In reply to Carsten Gräser from comment #42)
> > Yuri, this is not correct. Okular can in principle save the data to the pdf.
> > But the interplay of this with saving to and loading from .kde/... is not
> > very intuitive.
>
> What does it mean "can in principle"? Is the code saving it to the pdf there
> or not there? If it is there, can you send the link (line numbers)?
I gave a very detailed explanation of "in principle". just try out as described above.

(In reply to Carsten Gräser from comment #44)
> I gave a very detailed explanation of "in principle". just try out as
> described above.

I don't know what are you talking about. You don't make yourself clear.

@Yuri, Carsten was saying that the current Okular behavior *does* save data directly to the PDF *if* you use "save as" but otherwise not. The problem remaining is that it also saves to a hidden directory as well, and then conflicts and security issues can arise from that.

Ah, I see. I didn't realize the pdf form-saving code was even there. This makes the situation much better than I thought.

Thanks for clarifying this!

Somebody should just remove the code writing under ~/.kde4/share/apps/okular/

Today I received a PDF with forms filled in, that I had to forward as a normal PDF (using "save as" or print to PDF file). Some fields worked as expected. But some were missing in the resulting PDF.

After quite some time I tried editing every single form field, ending up with the same values as before, and then printing to to PDF. Then everything working, i.e. all form fields were saved to the PDF file.

I use Okular 0.25, Platform 4.14.23

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.