Version: (using Devel) OS: Linux Installed from: Compiled sources When I was retesting bug #179476 I noticed that if I selected for plasma to save my password on the config file (instead of using kwallet), my password seems to be leaked to temporary files in /tmp completely unscrambled, and even left there after I've deleted the twitter widget. knuckles@darkshade:/tmp/kde-knuckles$ grep "thisismypassword" -R . ./plasmatU2497.tmp:password=thisismypassword ./plasmaBh2497.tmp:password=thisismypassword ./plasmaKP5401.tmp:password=thisismypassword ./plasmaqV5401.tmp:password=thisismypassword ./plasmaRm5401.tmp:password=thisismypassword
the files are rw by the user only, and they are now removed as soon as the service is finished with. at some point i'll implement an in-memory backend for kconfig so that they'll never hit disk at all.
In svn trunk r958853 (KDE 4.2.70) the twitter (now microblogging) widget isn't writing passwords in /tmp/kde-USER anymore (same case tested: not using kwallet)
Yeah, this seems to be fixed, although I've noticed that plasma/kio may be logging a bit too much: kio_http(29537) HTTPProtocol::sendQuery: "Authorization: Basic XXXXXXXXXXXX" Where XXXXXXX is, as per spec, just a base64 encode of user:pw . Should I file another plasma bug, or elsewhere, or is it supposed to be like this?
that is how it is supposed to be, at least for now. once we have an in-memory kconfig backend in libkdecore even that will go away, but for now that's what we get.