From 995f6f2dde88dce365cdae8f7657505a3c41841e Mon Sep 17 00:00:00 2001
From: Aditi <aditisingh1400@gmail.com>
Date: Fri, 1 Aug 2025 14:04:25 +0530
Subject: [PATCH] Avoid password prompt on attachment-only encryption when
 there are no attachments

PDF.js wrongly prompted for passwords when a PDF had no attachments but
had an encryption enabled that was limited to only attachments
leaving all page, image and metadata streams in clear text.

The encryption dictionary is now discarded for this case.
This prevents unnecessary prompts for PDFs with no protected
content beyond attachments
---
 src/core/xref.js         |  54 +++++++++++++++++++++++++++------------
 test/pdfs/.gitignore     |   1 +
 test/pdfs/issue20049.pdf | Bin 0 -> 11722 bytes
 test/test_manifest.json  |   7 +++++
 test/unit/api_spec.js    |  15 +++++++++++
 5 files changed, 61 insertions(+), 16 deletions(-)
 create mode 100644 test/pdfs/issue20049.pdf

diff --git a/src/core/xref.js b/src/core/xref.js
index da7491075b709..af185c6057979 100644
--- a/src/core/xref.js
+++ b/src/core/xref.js
@@ -31,6 +31,7 @@ import {
 } from "./core_utils.js";
 import { BaseStream } from "./base_stream.js";
 import { CipherTransformFactory } from "./crypto.js";
+import { NameTree } from "./name_number_tree.js";
 
 class XRef {
   #firstXRefStmPos = null;
@@ -118,22 +119,6 @@ class XRef {
       }
       warn(`XRef.parse - Invalid "Encrypt" reference: "${ex}".`);
     }
-    if (encrypt instanceof Dict) {
-      const ids = trailerDict.get("ID");
-      const fileId = ids?.length ? ids[0] : "";
-      // The 'Encrypt' dictionary itself should not be encrypted, and by
-      // setting `suppressEncryption` we can prevent an infinite loop inside
-      // of `XRef_fetchUncompressed` if the dictionary contains indirect
-      // objects (fixes issue7665.pdf).
-      encrypt.suppressEncryption = true;
-      this.encrypt = new CipherTransformFactory(
-        encrypt,
-        fileId,
-        this.pdfManager.password
-      );
-    }
-
-    // Get the root dictionary (catalog) object, and do some basic validation.
     let root;
     try {
       root = trailerDict.get("Root");
@@ -143,6 +128,43 @@ class XRef {
       }
       warn(`XRef.parse - Invalid "Root" reference: "${ex}".`);
     }
+
+    if (encrypt instanceof Dict) {
+      // Check if only the file attachments are encrypted.
+      if (
+        encrypt.get("CF")?.get("StdCF")?.get("AuthEvent")?.name === "EFOpen"
+      ) {
+        let hasEncryptedAttachments = false;
+        if (root instanceof Dict) {
+          const names = root.get("Names");
+          if (names instanceof Dict && names.has("EmbeddedFiles")) {
+            const nameTree = new NameTree(names.getRaw("EmbeddedFiles"), this);
+            const attachments = nameTree.getAll();
+            if (attachments.size > 0) {
+              hasEncryptedAttachments = true;
+            }
+          }
+        }
+        if (!hasEncryptedAttachments) {
+          // If there are no encrypted attachments, encrypt dictionary is
+          // not needed.
+          encrypt = null;
+        }
+      } else {
+        const ids = trailerDict.get("ID");
+        const fileId = ids?.length ? ids[0] : "";
+        // The 'Encrypt' dictionary itself should not be encrypted, and by
+        // setting `suppressEncryption` we can prevent an infinite loop inside
+        // of `XRef_fetchUncompressed` if the dictionary contains indirect
+        // objects (fixes issue7665.pdf).
+        encrypt.suppressEncryption = true;
+        this.encrypt = new CipherTransformFactory(
+          encrypt,
+          fileId,
+          this.pdfManager.password
+        );
+      }
+    }
     if (root instanceof Dict) {
       try {
         const pages = root.get("Pages");
diff --git a/test/pdfs/.gitignore b/test/pdfs/.gitignore
index 233649a1f1df1..582e32a584fc3 100644
--- a/test/pdfs/.gitignore
+++ b/test/pdfs/.gitignore
@@ -385,6 +385,7 @@
 !bug1020226.pdf
 !issue9534_reduced.pdf
 !attachment.pdf
+!issue20049.pdf
 !basicapi.pdf
 !issue15590.pdf
 !issue15594_reduced.pdf
diff --git a/test/pdfs/issue20049.pdf b/test/pdfs/issue20049.pdf
new file mode 100644
index 0000000000000000000000000000000000000000..ec0ed82e0f42152781823759c7ca4c1a59be8698
GIT binary patch
literal 11722
zcmeHNc|4Te+qXs8B5PWVH3~Ds3`X{4?Ac{!#*E#}G{&ARS+XS}TP2C8Y*DtzR*_{8
zBH2k~Pj>Z=Ry|Me?|J|D{qg?s+#f#9eeQE@-*cVIIp?|r^i|=aU@<8Mfw6JoD+XFH
z7ytrbkuD6fvOpbY3>txV_CuopV4w~F43-iX2kHU95TF`B3Idh@o+0%cllmbbX`lwc
z5&)3`1He#_wY)q78iU&90{Fwj0EYdNp^CQ0qR{#Xyt@ZUq6*f{(;edhfB^OJXq2-(
z0gDHK#pUIJY8ZRGFOEQZA(0va;m&RZG#&_dLlDs4H~=+OEoI?w2pkLo!KLAn%4(`=
zU?pWWDM=|+aV5AKTt!VuLS9x`Sz260RU85VNkJfRC{#%e3|9gxOGBlU!O|e8io7*Y
z6N5tgSdwr6Lv~*rumCXVt56*@#*yFzfJ*Hu=k?WW7|;-lC21w`b$}5GDu6f?XzYta
z1I-N44#2aPV1PIPOajD%fJY<T8EBn`kVq7hogLCHY9I5mVhGO>4bW;x`IMpv0#FA%
zpz-8B+75|IVKA((y`;MBD7(Y~s3m(jMzgw$=yxXHvGpJz@B|+`+JOPYARwTo2mggO
zgE-_D#3}$O@E;Kaz$Ad*jgpiC8UZAvf78>>&JJy7r->q?SPG=i4Pw4z&MD1x<(XM#
zN^oX!a71utJYTeDC7E$?>)G6#2Hd0wJ^h=K%-h3c6!c{J`80R`uJPB|`|eySaMFAm
z5l~<MDtQu|)V$Cb0#FUEheKn4DsWw(lA4j}PX#4NUa;#2aQHW(A0DBLCLmA<0s`QG
zaPvU_Fw=;Dz@QL#)DQE-p^`v7p)IEB8zM&rse-JmsLytpc|1gu>14-tQ5U$vPY-~e
zNsg*$Ue~yX6(l}IiFB9qwPDHryN@tXPfdu}S~0_UfT!m|PY?CmAPp<wyz5p%W|46c
z7Y?QktXkoF4pa&Q^#P(_khnBZA5B^pLZf*#+1*Xqx#2IuPQ1&%6D|xi1W1x#aEAjm
zQ6$iu3BIH^{GK-xp#q2M;p@eX+HI7Ej}w$=ZaU2@RlNK(Y4<wcrjMVo8uz6<-3lMW
zg?am$$0UW=ab@toYbu#A&_qqh$no_3eI*k87e$`*rLQ&x(cK=?pm+AmW8K&glgJm9
z69$?Bpud8}*JbqGJ#-Ox*WJZOa+2L9DFhMlo@kN>{G9M_kw72ei1q;N1{A|x3_R@#
z#&|UP>#CIe+WB=cs*pUy4ePi^)ZX=h#Slm+dH}%RC{*xRoHEwOa(C53VNfw~X@E2Y
zEG7-JCJ9G5BmS3fq!>ox@?8}}v<KD`Z%<N9{9Eua#1crc3IO^R9Co$dqYU)dV*Nv8
zgFE9r2mo=&4`-H;lqN-9$Tv=UNEebL>|M7H46U^rK&(5b)~uhm>85Az6L#wnS5mVw
zK+N)ZB^Pu&%4$P>_P^@Z&au=?wR~<tvmMr)L_wty;!JC(d|L_56d(S<wRP(;_cec`
z;^CMH1jWq~`skVxG1F@kqj&pWb)40HeCm9qaM47TwPQc+!t!|xd?=`@YqWR1+wDPl
z$(56lC2^aN`ujv1i=V%p<#^j|NtcFvGRoq{D_nmY`e}bWed9;pKr3BCHBclAh1LzH
zLl%W9kDV;8DMmWd1*@0XU*C{?YJuCTdz{zG$IZF$z&YKew@371t-oY?&V41pb-T+a
z%nh}|v|Fn7@$-t<T*rtgtR0<S<&AK_ZjleSzhRpe@er$aJ-BgW^YMK@;=9~?Qx_a7
zwQo6vcfPZfI6ts6y2w3YJ(w;L!ausah^fAgm&SE?GDp-klqbAVc>ZNYxHH2yd;ICg
z_?no^#gJ@|GrA4FNt+2#xA!OFB=WdJnF?}is5r?6;vWAYEPwT)?_T_e+58@G#X*w4
zCe4T3I!-RSUXdw$Ydfl}drb0lGscU$u|7pvY0+*ps^O&Se66az+x+n9CCa4~<hw9O
zhm5(U$m6Ch(Nc#m9y`o_{mA)D6${2tKe9oW+$4Xpd@)ucj#FhB!C=n3%1E<sc<kV+
zMp;VR70k;XLt@*MnMljPM|r8sVN^AsFjPVvIQ^}mVpB8K5&n%65H8DH{ldG?<84}a
zd>SsBJbA_&a=f<snWU!u(Jw4(>(B4Z%zPZ4UiP15y8H5wU>hzK8Bq>r>nVJbJIN;S
zMydG^abN0}gDdU+=f;rM0#Ft0<!p~OR9F5HwfFuz{{fRESe)eS5__?_an0M<sGmK8
zSS?lEaflZnu)^hc0MK<>gN@1{QZq=OB0N;kOLZTdm08#nWn4?H9>Hs`#!7cF1o`^F
zGL!!EIs;X;$-x-c0}J`kk3(rYFU*Jgr^;UUJ1zvgt|Zgn4xy?in2`rTGR;`$Kh#+r
zVrgkyqu^vBXEY<P9d&S^QeRi4=-#fDOHIwycwVwPFBXKV8W4G^FX++xB`}^>N`;@A
zj8?5jQucx%$0S9fQOUEz;$Ns<t|SSIhl9o0GY{N;z&qYp=(c+I-KnbPlw`q)OfK{G
z!%rYLW2*Fr(ga4cVyH5$QUpdEv(D3?tBp0&$R^i>UcFksu0sZ5O|@;E63ldq6jx(C
zJRiACLAF1!5%vVn7`*{=x=H4f<2VsT6{(5LVSb(BJo&!KVRNa(Xafm8mDr#=ddWwJ
zxKc`g8N?A(h`pvpE@1AS>J&ehe{^ony!V~c#?$`c;}?u}<eL1pOqK*^i8qyEZki9f
z%{~BDvy-jzTcjT=sYx;+D|M$<oE&|iw*Vkp-bYqCbp7M;a5tNT#xeR6bkVc3ZXV<r
zu41R&OKoL@U|&8BhpnZy%x{^V&f!o9=F?=8K&wsW+|AKeZEdAzOeUgs)|kGG*TS6J
znj1u}XVh{mg}pa1c%OJ6G}5UmOg7l;iWrJEG_YqhkW=ym&EX3-Tv?qwZOH<{VEW~n
zG)-7JG8H~bevE=2MZgD3CNOPN%@e2m_(G33alg+~o7{9(QJ7I3C0?U<tMqXwyufXd
z!&$?jZgmuguFw!}(L#d7KolZ&3`c_`aFjy;vd|z6CdzA+Vj2|Aic}Ak<on2ImB4-E
zUKd?(WZl7j9aLvRByrSMRA*}$aCG!R>WZ}Cb=n~Ep<w6zA&X3Gx0UW)VZU=QRk@ex
zh{b+i6(xOXR?258kyn@!6gN5qb2(35yqBq>FSo)+;HunjeR1;^O$Pu%y+a-l%A7*+
z3c=7v_Bg1&==9P3>h&!nsy=MjX*g;JMzzY><r&NBIYy5xl8J=b)?eMP*tDOr6K=Nu
z$dan^6*GQvW**mg-a8a|YH3#(?;NR!)rdbgK}j8viAdpOe|~s8!aQaaX^QAYYJqxE
z>{Cp2INnJ*Fi8Y&gk&RoigV0PJW%jDAjzB_E81vk7iVW#lw3^NhnPKml<`IF;jyE*
z3+0?v;uvTFRoTJUF;zhy8W=_emwcX_9AaGvIauehh&<0zLmPNB@c3{X_w%PGt{kwS
zat%4ia}B`n#&68TwSQ{=PAGFd#2`3VkH8zw<lAV46fVBpr}RYgsNk8ateWBc9ESYD
zsincjnl8N7f^ve@JXf1#Q0jP2b444y0{#qut-!$q1^q-JK~_DjqiV|iXJA?tioS}z
zD%pk%xtMOVdnuJSEcB{X1GEBw>Q^O_KPHbi=U=@a@0#=>*<U~}@pZCyvaMLg30s~(
zt<O2z<rD^WigiZ8Sw*Iq@X^wGxiC$&wA)F@OUN{2B=X`I^qGOclZ4=evO{`#iql11
z0@*xV%CEA0yUI&-OJ&}m-++#(OWoOeb#?mL3itc!l>=x2wB@AG<k3m4$&#0b)b${{
zbqT}6*)dmRs$$|kLf%yn$B6@yh0Zo#o(LyxoWz_wpTwKwkVKvocTdLz+r!#(<DUCH
zy>5_;pbNsK-({;u?0ziqF46lY@rEtr%fxoXOi^W|U-_oXr-m81nX6oBTs2&WxlFi{
zA<v<Q(=chxX_IMFkQb#+7IcrOEG8|c9@&7BQs-NZ9Ry0EVVU^_b9Y5M<?jsMm&>=$
zEirS<I#bflVx1snDWz0qRc7R^tfvh$1KJiEEM&?XWaMYud8+=@GVo<>2jGoev{HIq
zZe~>GQ^ZX~)~G$-z4-f`C$lWFPCu8ne|#=#Nq*c?uqg6|W`bsHv#wEJ_mHt&C9#x9
z@A}S35ON<{_2PEXTXXXV@ZMXn2HB?bS-$BTr|9IO&7yCx53<{e%!wF@eh}d{7dGE#
z=3Y8ewAt{cG0oN5KHx>T%eZ|>d(PmyNBMc8!(LD40#2t{7Y(vkov9+OGOqG&32uRD
z<RW|`su|b%2wp-}p#eS2AKs6aw=czv)12@>QT$5t?(hxscHwr0_AEMjjzx}cQBHj4
zxzX~Y_;@jtSd6U?F0<QYAZgs<!)B}Q>)0u;M)$_SKDqv#@~u+`wGYOtN54qCdv%J7
zNM~~?x$tcK*}}4fHROWJ!d-b8`AGR#d6pWln)?C3b;J(Ej@Rbk$JdKfo3FR@sHCYL
z9C%NAhYC(*N+VAve&EnPPpXDG^17-JZeW)!zg0Ioh4QwFSD5SpD7`h?rU$2(2;_m_
ztZ%uA&jlZEDp91Gs!C&(MqE=@lX`S4yEeNwyjlI3T93M}n!j4Ins&08h<V8bJjNmh
zkR!*=eT2=Q-wU6&)-|XdF+Mv+J3cQaVRfx!_6`2gWL^ug;EHXX`MHzFk8mFwX8IDz
zQlB@eQ?O!N;XO(9`f63gR>IWtQ&X`^*6Zl)c&g;khoPOS$&J>L_L>EnY?|W~dP<K*
zJRjOF2T$ZBUP;UnmdNYOYjX}QT`zs5EP#kAI%O>(ccL2D0LcQWRK9fXnKxm%t=Ji_
zBjjQ3P?d7|v(6`t82)sDi{^ACE)Rzs)zKL*4O*GstxTj%U|Nnfe{9~m0Cj+Rdpg#5
zeGcEQgU-7$=7;qbSPfL1@wTq39Q{=DA<iA(uF=2P0&j^$9~s6(4RssbGAOFCb1GSQ
z_guL`*<iF<wB3@??U@^!+uWc-NxsWKGOtbNCuGZ5)R>;Y+k_9p<^g9n23uD{=c=<;
zv$woQy!Ly)9h|QGXqJjJx9RUF7_rWuY+b&+Tvl~<w#F1;dCu;ja~vwJR6O@#wN{~v
zde7aNJ2SytacS?WXZ*|NZoGLh@cQYnd*CbbSjuNK^2b?^J_&4E(|65Ra({++JNlr3
z_~G_U<x|H%+d$Phjiq>^dYF3li~2avp3~j0rE;YbCF^4oo)?dwdx6~<`K02{a(`N1
zBCBGZN}30@H1=Yhd*LR%Y`<?*z`f}cI~l8wJ1n9sGJD_lMn1kH>FlrLKRg}u>c+A5
zW1<S_U(T<@tfr=wymZti#<#OwPlsiAUszUt9<~%6$q^xQmLOkQI?;8bpr~M|B{;dz
zW~l<7H&DH`ZIXQ7u>fX$I^ae?^<4N)Z13@^o7Ze-FE~#>T5zwP#+B?`8_&O7voBz3
z(|QXyv|1T3dHKtYBb3q9oAY8d{$Fg~%1s9h?R3)Q9kfws^^@Ll+OeM<zkPyM@8r#U
z3i&%d>#rU1s#j)jy|yEkTyl&HFING6N!lpXYuHE3Bc6hn!e`X;)rm11F@t`^E6)~N
zVv=8thdmYk{CF*?^M1w!@2zS_WOL)9Yv+el1+Agn8rWv<s{0h`{lqJ8=Y^cRQA77@
z6jp<GGPmqkUc^t&>aFV~WyC6YpFgm@>?7#z@NRf5^yAhacBIn3cBKDdlMa!Bem`}A
z0T7AZo2Vc6I6mb0X6|m5XAfT>R(!tnaWt;)vd2fn@R8GAhy2fBtWI;Ev2u)j<&(*?
z)8ukjdw^dz{q{9eS0PsceSXz!HPC@fwnr*RiqhZ?!8mS#PX|q%Z`bzS*(T>_U2>%0
zG0xn1uZYyH_b8ZqAUbEPTQ%=Nge}0<s)@es{=*(!NmEZBt3E2#I+V>pY_kRIhzko1
zSw1P{)v}s(EQj8##BE+5;`d5#>NvMKJ86{txZ+w99`Eb?8I`A-aZ5*}LEoiBPKdH)
z%G5^aQS2AR{=n63WW_Ln!+oJ*gX87GUER{8!uAZyld)wS`d(Jjf#<T{vX6Ih+_XIz
z=LjoZOWvHXlIYG)<S!V|@&;x)zwZ#e&5e7qv3z6vab{eK%AqIk-@QLz&_UxpwEp=-
zzk9~UF_ojb+Wm2#V@hjSa<1Jg>v-yNLEXo9<YB?pQ>{@xAx0`G)eOEy-Rg+tcos^_
z`V~pPo4y^!{FE2kMm>>Q?~XWfz39#3VvtpvIP^u(ncd_?JD>;0*R$;196aANA!DB7
zfd#J`Ubr!L-ajD50vnu9*zPmJu^A+`rWRA24yKN)?a00@sFt`C(k*`hG(|k+`qE-`
zB2BzNgqR`1`R3E1W7@78xrVn?DkRFe+w;N*HNIt)iNu5TaZ2lTe4I7cA|eVC<!*KB
zc8b!A!v&K<Sg*GqYhp8fkw!ONe7@w~$<+F}X{*syvywETeWG)+FlY31vUGY~e|OmD
zdkM)Zi{u;|kD#M0qQ{Nt%3k-Ty#}!ij-7pdIEf)8kCX3_W3RcN%!$gb3y;h>x9{2R
zi`(WrZ^?T#0)H4}u<z>3m#c}-=dYGJBnv(74Y7$8a~|a2&-<jw|41(W&Z>3JL5&$Q
z$Equ(pF0ya6;wK`!(PSd`#id{IK#*4C4Z~vLkXML!ZLL;b&=->TK^hA*pUoX#6~15
z<_&r?sJ?CFEk7%!-$Z)Q>ek?`u=@K4!$jmH!xaiA^4B!m=M7?@fHl!BRz2n^@qJY9
z3lm3~wHnw*Xq*z~?jmA774w_xoAL}7;l1t)u<UTT?=yctdY<Ov)Dtc9jdKUJ<34oE
zQNN9yWX>6kcPM&%%S0F2*MIWt4V%<k2P%~dANqNP?IaFP4#!h;DNPTDA7}t}5{2P0
z)h_}g2<|xo@eT1_x0{L;laBd1QC=FVSDZfnVAZne^=*fKe*Rt^#tqOLk(i#m^Zj<L
z)O?3S>w;(&*=6li8T=cnkH_XQ_Dt&^o84U95@8>ZZ^OD(w-#a<7KfE5h3WNph_Ce@
z<mzcr@X@7kN@}=q#N5F#%g4_>JA(is=i${h=!MP^DVq)5;)7+xlIVe9G;qng?9i((
zsh{mEH0o<Fu7idUIr_{jCw9&?i#f20BHP+3>q3*$$emTzV`0d1Jv*aIf$lruw*8ea
z3w7umV<=8@7k|OiY)s?hEfg&~T#Dl$4SIA?G9>_c3?-4`Zjg4Z$q3gX7mlTzvb!yo
zb2=_}n_<Kwr8r`?Qv0BT3$JJLVRzoF;2W+iQO_#{0@IVKtZj~e&|TTcZyoM!8}~PK
zk}Tq$jH#RW+_dP?U^BefIWea8A^u)~|7mJUMt}c%r{f)7RH^gLFHUrgjBNYhHX1u#
zX`L5gdbwIA5Nc!98n2yV4}FI(z2x41_Z2QUq3Xd+OMUXba5Gl7Lqe`uBiIIx6a2*p
z9E$^BMmJZYoY^zHj(jO7B_b^WS#2{ftanRKm*5eAwCQ7+{WPcWG2G6|WQ>P6+5k;e
zJ$o<fW-<1h_i(3<tiqv@n(j_xOxWDg^V707^~c)Gu-b%j(aP&b-lv#p2<n|7On@@z
zHHK?9qf=glL<i;SkKRI(c`LP)244crP-^kitA;+?$*1qc**k;-MSw*2fS8L1tnQqv
zqKlPHtWd~_lD?dTtf!4TG!pJDb)6R)KatDbk#**hNuyGp)`_uhKG-{<{EQ>m0X_m~
zYkc~!BMxxq6H&VIIg(@i`jIku2l7DiuD;=t9ec0xQ?CZ_vv%mVwAvS%Jev(No+JMA
zR5G=-`>4gbosHrQyYi@%)J4{$7exT=70E&OYoR015kVY{kh(CB*3vzgPxx6N#X~=q
z(JhX~W(9J2nl*M~)GZcHvWJStr75kbZKw(;6=*QzPibaU-wrIA31GG-fp39?PPHZ8
z-ux?f(j!(<^mzKTGnaK?3C2Ar)q=zlt<651i&(zUbVc`KacR8|WMH7XJ3SU&VqtXk
zS}dao>h$RnI!emu{(^$p+bOKE^ZXk|9fk3{E6-&-?R~jAd4!<I$49xM3>%}!ExfWY
zVHEYfWR{d}$Y+xYyyC3!r=ps2U+Sxd@3u29(W{|^cvYAWM>YNE(r7N>zPZzhzlk?g
zhgn2Th)$_sVR+=&#k@;M<q^&nd=fq+Ij$Y&>ge5_+IqsWx_Mh4+1qB`bzB3^o2OsR
zC(Sy4lo7^kbHH?NspqUGnqza5U63zxaor1d`>C$(EFJaptv89G>nTiM8p`LU&V*Lo
zG*U|wd***k`n8F)<x6Ia@KSew<HeAX#h6p#%q^{(D=DA-7e1@Dh;YA&R(Q&}amD^i
z=p)WMwwJnX-%upt*$uDgK)Tt^Yk#<-_Gy3jtuoV2%ZnjgE4{bMsH>sx^Odj+ey$ys
z7l(dySub!s$Z0}Z3k@nV%&4SaYE^|r3oMR#O+dh%UWBL}Wfa<AjVJxnhJtmdewnes
z&`0NolExuE=y00wocc`Q0>dMC1lxjs95Fle`h5FiYI(j#46-cFEh`)TCp@lJ$IdaI
zy~^&gtx0rptQJj)dc1Z|tfZp7|IJ8(yI{0-QkMUKJ7ZvAZrSh@t}HKBzAEnxONg5^
zUy<qOlX%vL>ka05vn#v`sRmIZ@9T^k-$d%XKa{FJ8!LGoc+xgIbK8Uq6a?zH)K#77
zs8Ke2%wwcM=V5sbGh*Qh>}rd-W!8*FlYnLH-HN58vw~%TY?mMwg4r{EM~<Y5JTvII
z94_mkdZsdJE&Q4PGvNjvMmENKZ{*PBVRZo+ndfIg*~?>Z?f7ZNM%mvl`|~kQY*@5b
zvR4$b2L|_c$&c*Eajnbf3#<;_&$Xglzuq^lb=(h<#pdq{VqFt=Q}Rz`^%#5M;+Fpz
z7v1KX@0^cWw%lIGSSSB7<R)0I{^)Rw5xis;R=?qOvsw%vd0}q*il6qQh<Vdef%7c^
zP1P(b0y2s;(@bpuI_}J=mExG0VyiLnV9wY}AEp-@yZW`YPdTzr-MzM`z_p@~Fl!z8
zhuz<Q-28pJZzp9rzu!TUGBLYXkpJ6#ySNcZA9NNZX;`FR1kx`m?p&kBGq8rNsGOuT
z{B%(}O6#h&a+IOb#pRFMv$KlJo$P=OvmLU15=HfP0m<7FU2nUe974$z!15}XKGB9N
zW;01pcCpdx-b$kYnNX5$na_uv82-BnyV;N5E}1QXD!Um{>mOQ6NRToHMxIE**JPxw
z&NuacWKVu=WMvh6a0q)>Gy#A_J33?Jco(Xk@&cSua=d4ux*%Pg3fjq8!w-)(@;hT}
z@8@a{L-8ue)5`kD__*WTNy#^WkGmVjL&isr7eUJSqGd?!-EJT+;Oh{As~oS=?gxOG
zu0B8oi$?=sVqj5w5C{yAf{95=K~W$FDG^edL|g(0k_3XmqF|VeI9P^sjsE@Nm8T`O
zWbr5m8ADb0cX^~YIbJ6M0Ve|ldV70|c}s|4@s2<+3<d*|=1W{$lr%!r!xuw9_=sXW
z_`Wgu!ABMCVUKsl5uC9Yz%E||66;Bj<K^8I^z->{m^<#LAdH9DS0lyjvF<=01P%xm
z0|Ea;gxjOtZ$zXIBqE7F5~1vW3c`8f-M-p`vInBw(C)kGDH0v{k94Go(AE7(`kS~P
zI=Z_9e*!?VPnJX?qe4nZld|WeUwIPvP*ISSC<tr}g2_N3G7=CAS>Rs={lexKITmk>
z#k$FVO~UOV_}={&3SBJ9*}?a(0>M%;yFcQmKu{S8&^IP~M*fw@_jK?7iOb%xd-#y%
zKt>;rMS0qz@$&8ndp#q7DH`vw>kDA07!)9+?CI==A|>45QV?N)fhQ@;?gt>1NvQ1R
z34I8%z~30`VT`hualqo;5d?Vz4(H}<kJ$CE-O;kZU!Q&-Ps-i8p}+d~Pq+K(=%g&k
z@4dUTw(F^G&btdh#tngSl;iagMWG!Ko^AwQd6V5Vup1gB3;Z_fcj|Awzcc-+)L-TA
zPOYx4j4IaNbJyuKRpmWBol!Cp(qMZ@Nl6D$7z8FI3Wh=?M5V<g(W27Q_7DfK6bg-o
z+JBw8-)Z;Q`i-w9hE%kGu}A;l3zL?HLLew9Q3sf$w5XIg1TBh?07FF)U=RWZ1B-*j
zrGN6>L;IcYH>>un<!^!FD*~iQL5fnqpJD2EJbr@xUvB&|_`l3}FS~z*>_y`r+yBD#
zj}Yx0@Go3@(fG&qzi|B{M0*GP3)fyW{;~ZpT>l8s-U0s!F4|uQ9a8<I9IrR&81wgI
z)ovl@Z^x?NYD~YK41XRBA+T>1u)8O$zt>?sH2!)T^lk^XoiYG*ueIw4UzUWB(^5a1
zi7;lrGeg6lbC-RfpPY2W8_}RE`nxWBO4R<4qWGrEkMsm-=L-2x%2>rz(_RFz!fhup
zf~;xjDFC)}xnrg-(?or%kOOK()MIQ~88z21lSkTdj2WtmLbL{ISm*sl?#(4KXLIQt
zgw8n<?k#Ljsi5)$)>ETZaDmyay?G32{Lez8C8^6+<R9Lhi*qdBkS<&RwDl^!SZx8x
z=vOuqUW}IZX<(f`<j}HgaGX1L*lA@}rZf3+@}znYIa&5KaMs_g-ct+r|FJgsZ{@%c
z>A%+igGpu4|4;)=Mj;4KEu`0>kBJDTvX#DK_n!RRQ*wa<)}V6w7*NPG_Z2%7*?th&
VLm%p6e+TJT=`R>8`Mvn}e*lAoE4Bat

literal 0
HcmV?d00001

diff --git a/test/test_manifest.json b/test/test_manifest.json
index 2e28f992fc89a..8c3b37bb6aea0 100644
--- a/test/test_manifest.json
+++ b/test/test_manifest.json
@@ -4930,6 +4930,13 @@
     "rounds": 1,
     "type": "eq"
   },
+  {
+    "id": "issue20049",
+    "file": "pdfs/issue20049.pdf",
+    "md5": "1cdfde56be6b070e0c18aafc487d92ff",
+    "rounds": 1,
+    "type": "eq"
+  },
   {
     "id": "issue8117",
     "file": "pdfs/issue8117.pdf",
diff --git a/test/unit/api_spec.js b/test/unit/api_spec.js
index e5fdf5d3003a3..52714028b8abe 100644
--- a/test/unit/api_spec.js
+++ b/test/unit/api_spec.js
@@ -878,6 +878,21 @@ describe("api", function () {
 
       await loadingTask.destroy();
     });
+
+    it("should not prompt for password if only attachments are encrypted and there are none", async function () {
+      const loadingTask = getDocument(buildGetDocumentParams("issue20049.pdf"));
+      expect(loadingTask instanceof PDFDocumentLoadingTask).toEqual(true);
+
+      loadingTask.onPassword = function (callback, reason) {
+        if (reason === PasswordResponses.NEED_PASSWORD) {
+          expect(false).toEqual(true);
+          throw new Error("Should not prompt for password.");
+        }
+      };
+
+      const pdfDocument = await loadingTask.promise;
+      expect(pdfDocument.numPages).toBeGreaterThan(0);
+    });
   });
 
   describe("PDFWorker", function () {