I've been messing around with qpdf, and noticed something that seems huge: that a document's Owner Password is essentially useless, as it can be easily unset, and therefore that only the User Password offers any real security for a PDF.
For example, when I set a User Password and an Owner Password on a PDF:
qpdf --encrypt "zeus" "zeussecurity" 128 --modify-other=n --extract=n --annotate=n --form=y --use-aes=y -- "Unsecured.pdf" "Secured.pdf"
...all that's needed to unset both of them is the User Password:
qpdf --decrypt --password=zeus Secured.pdf Secured_decrypted.pdf
When I set only an Owner Password on a PDF:
qpdf --encrypt "" "zeussecurity" 128 --modify-other=n --extract=n --annotate=n --form=y --use-aes=y -- "Unsecured.pdf" "Secured.pdf"
...I'm able to unset it without a password at all:
qpdf --decrypt Secured.pdf Secured_decrypted.pdf
Notice that qpdf is not a brute-forcing program and this all happens in less than a second, so this isn't a case of password strength - the passwords are simply being bypassed entirely.
Is this normal behaviour for the security on a PDF, or some sort of bug/edge case that I've run into?
