Bug 180966 - Twitter password is getting leaked to /tmp
Summary: Twitter password is getting leaked to /tmp
Status: RESOLVED FIXED
Alias: None
Product: plasma4
Classification: Plasma
Component: widget-microblogging (show other bugs)
Version: unspecified
Platform: Compiled Sources Linux
: NOR normal
Target Milestone: ---
Assignee: Plasma Bugs List
URL:
Keywords: triaged
Depends on:
Blocks:
 
Reported: 2009-01-16 14:07 UTC by Ivo Anjo
Modified: 2009-04-28 04:56 UTC (History)
4 users (show)

See Also:
Latest Commit:
Version Fixed In:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ivo Anjo 2009-01-16 14:07:45 UTC
Version:            (using Devel)
OS:                Linux
Installed from:    Compiled sources

When I was retesting bug #179476 I noticed that if I selected for plasma to save my password on the config file (instead of using kwallet), my password seems to be leaked to temporary files in /tmp completely unscrambled, and even left there after I've deleted the twitter widget.

knuckles@darkshade:/tmp/kde-knuckles$ grep "thisismypassword" -R .
./plasmatU2497.tmp:password=thisismypassword
./plasmaBh2497.tmp:password=thisismypassword
./plasmaKP5401.tmp:password=thisismypassword
./plasmaqV5401.tmp:password=thisismypassword
./plasmaRm5401.tmp:password=thisismypassword
Comment 1 Aaron J. Seigo 2009-01-16 18:23:50 UTC
the files are rw by the user only, and they are now removed as soon as the service is finished with.

at some point i'll implement an in-memory backend for kconfig so that they'll never hit disk at all.
Comment 2 Anselmo L. S. Melo (anselmolsm) 2009-04-25 16:05:32 UTC
In svn trunk r958853 (KDE 4.2.70) the twitter (now microblogging) widget isn't writing passwords in /tmp/kde-USER anymore (same case tested: not using kwallet)
Comment 3 Ivo Anjo 2009-04-28 00:12:47 UTC
Yeah, this seems to be fixed, although I've noticed that plasma/kio may be logging a bit too much:
kio_http(29537) HTTPProtocol::sendQuery: "Authorization: Basic XXXXXXXXXXXX"

Where XXXXXXX is, as per spec, just a base64 encode of user:pw .
Should I file another plasma bug, or elsewhere, or is it supposed to be like this?
Comment 4 Aaron J. Seigo 2009-04-28 04:56:56 UTC
that is how it is supposed to be, at least for now. once we have an in-memory kconfig backend in libkdecore even that will go away, but for now that's what we get.