user_access_permissions may return tampered /P value when /Perms validation fails #3657
Description
Summary
When opening an AES-256 encrypted PDF (R5/R6) where the /Perms integrity check fails,
user_access_permissions still returns a value derived from the unauthenticated /P field.
Applications enforcing access control via this property have no way to detect that tampering
may have occurred.
Current behavior
# _doc_common.py line 1312
return UserAccessPermissions(self._encryption.P) # reads unauthenticated /PWhen /Perms validation fails, only a log warning is emitted — the caller receives no
indication that the returned permissions may be unreliable.
Proposed improvement
1. Expose perms_valid flag on the reader:
# _encryption.py
self.perms_valid: bool = AlgV5.verify_perms(...)
if not self.perms_valid:
logger_warning("ignore '/Perms' verify failed", __name__)Callers can then check:
reader = PdfReader("file.pdf", password="password")
if not reader.encryption.perms_valid:
# handle untrusted permissions2. Add a warning in the user_access_permissions docstring:
Note: If /Perms validation failed during decryption, the returned value may reflect
a tampered /P field and should not be relied upon for security-sensitive decisions.
References
- ISO 32000-2:2020 §7.6.4.4
- Related commit: 2bf40f4