Summary: | saves Mysql password in plain text | ||
---|---|---|---|
Product: | [Applications] digikam | Reporter: | Steven Robbins <steve> |
Component: | Database-Mysql | Assignee: | Digikam Developers <digikam-bugs-null> |
Status: | RESOLVED FIXED | ||
Severity: | wishlist | CC: | caulier.gilles, metzpinguin |
Priority: | NOR | ||
Version: | 7.0.0 | ||
Target Milestone: | --- | ||
Platform: | Other | ||
OS: | Linux | ||
Latest Commit: | Version Fixed In: | 7.0.0 |
Description
Steven Robbins
2020-03-08 19:54:06 UTC
There is no plan to add a specific another KDE dependency to digiKam for this report. The goal is to reduce KDE dependencies in the future not to add new ones. But i agree that password need to be encrypted in digikamrc file. Gilles Caulier We can use QCryptographicHash fo that : https://stackoverflow.com/questions/2990722/howto-crypt-encrypt-some-string-e-g-password-on-qt-simple Gilles Caulier QCryptographicHash only creates a hash. This means that the password cannot be reconstructed, only comparing whether the user has entered the correct password. We would have to "hide" a password to encrypt in the code. This is not so easy with OpenSource. It would only help with a quick look at the configuration file that the password is not immediately readable. Maik Hashing password can be enough for the use case in digiKam. Look this comment: https://forum.qt.io/topic/76859/encrypt-and-decrypt-the-password-entered-in-qlineedit/8 It simple to do and enough safe. No need extra library and to be paranoid (:=)))... Gilles Maik, Good news : 02 library from digiKam core include already a simple Qt class to crypt/ decrypt passwords. It based on this code : https://wiki.qt.io/Simple_encryption_with_SimpleCrypt It's really enough for digiKam. I will use it for the database. MediaWiki plugin also store password in clear text in config file. I will patch this code too. Gilles I had already thought about the encryption in the O2 library, even if the key is not really hidden. But it is enough for our purposes. We should probably come up with a solution to see if the current password is still plain text. So that the user does not have to enter the password again. Possibly add a string extension to the encrypted and check it. Maik Note : after verification, MediaWiki do not store password in config file. Gilles Maik, Yes, i made a patch in this way in DBEngineParameters class. the non encrypted password is read and converted in a,crypted version. Non encrypted version is removed from config file. Gilles Git commit 9e68bc874e38b82e48981df728a1d83d317557f1 by Gilles Caulier. Committed on 14/03/2020 at 07:18. Pushed by cgilles into branch 'master'. database password encryption : use 02 Simple Crypt algorithm to store password in config file instead clear string. remove older non encrypted password version in config file. M +28 -2 core/libs/database/engine/dbengineparameters.cpp https://invent.kde.org/kde/digikam/commit/9e68bc874e38b82e48981df728a1d83d317557f1 Maik, Take a look in my simple patch just committed. It must work in all cases i think. Gilles Yes, works fine. Maik Thanks Maik to cross-check, i close this file now... Gilles |