Remove confusing optional 'password' argument to pdf_open_xref.

Require that clients call pdf_needs_password/pdf_authenticate_password
instead. For dumb clients, we still allow for decrypting a file with
a blank password without calling those functions.

11 files changed, 52 insertions, 39 deletions

diff --git a/android/jni/mupdf.c b/android/jni/mupdf.c
index f0d13b73..7c630c26 100644
--- a/android/jni/mupdf.c
+++ b/android/jni/mupdf.c
@@ -35,7 +35,6 @@ JNIEXPORT int JNICALL
 Java_com_artifex_mupdf_MuPDFCore_openFile(JNIEnv * env, jobject thiz, jstring jfilename)
 {
 	const char *filename;
-	char *password = "";
 	int accelerate = 1;
 	int pages = 0;
 
@@ -65,7 +64,7 @@ Java_com_artifex_mupdf_MuPDFCore_openFile(JNIEnv * env, jobject thiz, jstring jf
 		LOGE("Opening document...");
 		fz_try(ctx)
 		{
-			xref = pdf_open_xref(ctx, filename, password);
+			xref = pdf_open_xref(ctx, filename);
 		}
 		fz_catch(ctx)
 		{
diff --git a/apps/pdfapp.c b/apps/pdfapp.c
index 5b839eb1..3ad71c9a 100644
--- a/apps/pdfapp.c
+++ b/apps/pdfapp.c
@@ -113,7 +113,7 @@ static void pdfapp_open_pdf(pdfapp_t *app, char *filename, int fd)
 	fz_try(ctx)
 	{
 		file = fz_open_fd(ctx, fd);
-		app->xref = pdf_open_xref_with_stream(file, NULL);
+		app->xref = pdf_open_xref_with_stream(file);
 		fz_close(file);
 	}
 	fz_catch(ctx)
@@ -132,7 +132,7 @@ static void pdfapp_open_pdf(pdfapp_t *app, char *filename, int fd)
 		{
 			password = winpassword(app, filename);
 			if (!password)
-				exit(1);
+				pdfapp_error(app, "Needs a password.");
 			okay = pdf_authenticate_password(app->xref, password);
 			if (!okay)
 				pdfapp_warn(app, "Invalid password.");
diff --git a/apps/pdfclean.c b/apps/pdfclean.c
index 0f3474ce..82eb7c03 100644
--- a/apps/pdfclean.c
+++ b/apps/pdfclean.c
@@ -775,7 +775,10 @@ int main(int argc, char **argv)
 		exit(1);
 	}
 
-	xref = pdf_open_xref(ctx, infile, password);
+	xref = pdf_open_xref(ctx, infile);
+	if (pdf_needs_password(xref))
+		if (!pdf_authenticate_password(xref, password))
+			fz_throw(ctx, "cannot authenticate password: %s\n", infile);
 
 	out = fopen(outfile, "wb");
 	if (!out)
diff --git a/apps/pdfdraw.c b/apps/pdfdraw.c
index d811df07..893b5b2b 100644
--- a/apps/pdfdraw.c
+++ b/apps/pdfdraw.c
@@ -445,13 +445,17 @@ int main(int argc, char **argv)
 
 			fz_try(ctx)
 			{
-				xref = pdf_open_xref(ctx, filename, password);
+				xref = pdf_open_xref(ctx, filename);
 			}
 			fz_catch(ctx)
 			{
 				fz_throw(ctx, "cannot open document: %s", filename);
 			}
 
+			if (pdf_needs_password(xref))
+				if (!pdf_authenticate_password(xref, password))
+					fz_throw(ctx, "cannot authenticate password: %s", filename);
+
 			if (showxml)
 				printf("<document name=\"%s\">\n", filename);
 
diff --git a/apps/pdfextract.c b/apps/pdfextract.c
index 0e87cf9f..f69fd751 100644
--- a/apps/pdfextract.c
+++ b/apps/pdfextract.c
@@ -189,7 +189,10 @@ int main(int argc, char **argv)
 		exit(1);
 	}
 
-	xref = pdf_open_xref(ctx, infile, password);
+	xref = pdf_open_xref(ctx, infile);
+	if (pdf_needs_password(xref))
+		if (!pdf_authenticate_password(xref, password))
+			fz_throw(ctx, "cannot authenticate password: %s\n", infile);
 
 	if (fz_optind == argc)
 	{
diff --git a/apps/pdfinfo.c b/apps/pdfinfo.c
index a38e4f09..47f26c18 100644
--- a/apps/pdfinfo.c
+++ b/apps/pdfinfo.c
@@ -993,7 +993,10 @@ int main(int argc, char **argv)
 
 			filename = argv[fz_optind];
 			printf("%s:\n", filename);
-			xref = pdf_open_xref(ctx, filename, password);
+			xref = pdf_open_xref(ctx, filename);
+			if (pdf_needs_password(xref))
+				if (!pdf_authenticate_password(xref, password))
+					fz_throw(ctx, "cannot authenticate password: %s\n", filename);
 			pagecount = pdf_count_pages(xref);
 
 			showglobalinfo();
diff --git a/apps/pdfshow.c b/apps/pdfshow.c
index a84e962b..2fbfdc2f 100644
--- a/apps/pdfshow.c
+++ b/apps/pdfshow.c
@@ -205,26 +205,35 @@ int main(int argc, char **argv)
 		exit(1);
 	}
 
-	xref = pdf_open_xref(ctx, filename, password);
+	fz_var(xref);
+	fz_try(ctx)
+	{
+		xref = pdf_open_xref(ctx, filename);
+		if (pdf_needs_password(xref))
+			if (!pdf_authenticate_password(xref, password))
+				fz_throw(ctx, "cannot authenticate password: %s", filename);
 
-	if (fz_optind == argc)
-		showtrailer();
+		if (fz_optind == argc)
+			showtrailer();
 
-	while (fz_optind < argc)
-	{
-		switch (argv[fz_optind][0])
+		while (fz_optind < argc)
 		{
-		case 't': showtrailer(); break;
-		case 'x': showxref(); break;
-		case 'p': showpagetree(); break;
-		case 'g': showgrep(filename); break;
-		default: showobject(atoi(argv[fz_optind]), 0); break;
+			switch (argv[fz_optind][0])
+			{
+			case 't': showtrailer(); break;
+			case 'x': showxref(); break;
+			case 'p': showpagetree(); break;
+			case 'g': showgrep(filename); break;
+			default: showobject(atoi(argv[fz_optind]), 0); break;
+			}
+			fz_optind++;
 		}
-		fz_optind++;
+	}
+	fz_catch(ctx)
+	{
 	}
 
 	pdf_free_xref(xref);
-	fz_flush_warnings(ctx);
 	fz_free_context(ctx);
 	return 0;
 }
diff --git a/ios/document.c b/ios/document.c
index 3d014d6b..5531a980 100644
--- a/ios/document.c
+++ b/ios/document.c
@@ -19,7 +19,7 @@ open_document(fz_context *ctx, char *filename)
 	{
 		if (strstr(filename, ".pdf") || strstr(filename, ".PDF"))
 		{
-			doc->pdf = pdf_open_xref(ctx, filename, NULL);
+			doc->pdf = pdf_open_xref(ctx, filename);
 			pdf_load_page_tree(doc->pdf);
 		}
 		else if (strstr(filename, ".xps") || strstr(filename, ".XPS"))
diff --git a/pdf/mupdf.h b/pdf/mupdf.h
index b1b2a7e1..dfce00c1 100644
--- a/pdf/mupdf.h
+++ b/pdf/mupdf.h
@@ -106,8 +106,8 @@ fz_stream *pdf_open_raw_stream(pdf_xref *, int num, int gen);
 fz_stream *pdf_open_stream(pdf_xref *, int num, int gen);
 fz_stream *pdf_open_stream_at(pdf_xref *xref, int num, int gen, fz_obj *dict, int stm_ofs);
 
-pdf_xref *pdf_open_xref_with_stream(fz_stream *file, char *password);
-pdf_xref *pdf_open_xref(fz_context *ctx, const char *filename, char *password);
+pdf_xref *pdf_open_xref_with_stream(fz_stream *file);
+pdf_xref *pdf_open_xref(fz_context *ctx, const char *filename);
 void pdf_free_xref(pdf_xref *);
 
 /* private */
diff --git a/pdf/pdf_crypt.c b/pdf/pdf_crypt.c
index c272562e..18b3d554 100644
--- a/pdf/pdf_crypt.c
+++ b/pdf/pdf_crypt.c
@@ -579,6 +579,8 @@ pdf_authenticate_password(pdf_xref *xref, char *password)
 {
 	if (xref->crypt)
 	{
+		if (!password)
+			password = "";
 		if (pdf_authenticate_user_password(xref->crypt, (unsigned char *)password, strlen(password)))
 			return 1;
 		if (pdf_authenticate_owner_password(xref->crypt, (unsigned char *)password, strlen(password)))
diff --git a/pdf/pdf_xref.c b/pdf/pdf_xref.c
index 2411c21e..796c9ce3 100644
--- a/pdf/pdf_xref.c
+++ b/pdf/pdf_xref.c
@@ -639,7 +639,7 @@ pdf_free_ocg(fz_context *ctx, pdf_ocg_descriptor *desc)
  */
 
 pdf_xref *
-pdf_open_xref_with_stream(fz_stream *file, char *password)
+pdf_open_xref_with_stream(fz_stream *file)
 {
 	pdf_xref *xref;
 	fz_obj *encrypt, *id;
@@ -692,18 +692,8 @@ pdf_open_xref_with_stream(fz_stream *file, char *password)
 		if (fz_is_dict(encrypt))
 			xref->crypt = pdf_new_crypt(ctx, encrypt, id);
 
-		if (pdf_needs_password(xref))
-		{
-			/* Only care if we have a password */
-			if (password)
-			{
-				int okay = pdf_authenticate_password(xref, password);
-				if (!okay)
-				{
-					fz_throw(ctx, "invalid password");
-				}
-			}
-		}
+		/* Allow lazy clients to read encrypted files with a blank password */
+		pdf_authenticate_password(xref, "");
 
 		if (repaired)
 		{
@@ -1082,7 +1072,7 @@ pdf_update_object(pdf_xref *xref, int num, int gen, fz_obj *newobj)
  */
 
 pdf_xref *
-pdf_open_xref(fz_context *ctx, const char *filename, char *password)
+pdf_open_xref(fz_context *ctx, const char *filename)
 {
 	fz_stream *file = NULL;
 	pdf_xref *xref;
@@ -1091,7 +1081,7 @@ pdf_open_xref(fz_context *ctx, const char *filename, char *password)
 	fz_try(ctx)
 	{
 		file = fz_open_file(ctx, filename);
-		xref = pdf_open_xref_with_stream(file, password);
+		xref = pdf_open_xref_with_stream(file);
 	}
 	fz_catch(ctx)
 	{