93783 – ftp:// fish:// and other password protected protocols show password in address bar

Bug 93783 - ftp:// fish:// and other password protected protocols show password in address bar

Summary: ftp:// fish:// and other password protected protocols show password in addres...

Status:	RESOLVED FIXED

Alias:	None

Product:	kate
Classification:	Applications
Component:	general (show other bugs)
Version:	unspecified
Platform:	Debian testing Linux

Importance:	NOR normal
Target Milestone:	---
Assignee:	KWrite Developers

URL:
Keywords:

Depends on:
Blocks:

Reported:	2004-11-23 12:39 UTC by Ryan Sinn
Modified:	2005-02-19 14:52 UTC (History)
CC List:	1 user (show)

See Also:
Latest Commit:
Version Fixed In:

Attachments
passwords shown in location selection dropdown (58.34 KB, image/png) 2004-11-23 12:40 UTC, Ryan Sinn	Details
View All Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Ryan Sinn 2004-11-23 12:39:16 UTC

Version:            (using KDE KDE 3.3.1)
Installed from:    Debian testing/unstable Packages
OS:                Linux

I opened a bug about this when it applied to Konq a few months ago... well it looks like it's happening in KATE now.

It seems that if you attempt to access a site through a connection (ssh/ftp/http) that requires authentication and you use a "Location" like:

http://myusername@mysite.com/

It will prompt you for a password and if you check the 'Save Password' box.

If you type in:

ftp://myusername:mypassword@mysite.com/

The same password you had told it to save earlier, it will log you in.

The problem comes when the system stores those Locations in the location history, so basically other people using the computer while the active account is still logged into KDE can see passwords.

I'd expect that with or without KDEWallet, access to password-protected resources would trigger the system to use the saved password or if it is using the saved password to refresh and load the resource.

Comment 1 Ryan Sinn 2004-11-23 12:40:25 UTC

Created attachment 8397 [details]
passwords shown in location selection dropdown

Comment 2 Ryan Sinn 2004-11-23 12:41:11 UTC

you can refer to the original bug I filled on KONQ for their solution/patch.


http://bugs.kde.org/show_bug.cgi?id=82281

Comment 3 Anders Lund 2004-11-23 13:10:55 UTC

AFAICS, all applications displaying the URL in the title bar would suffer, as well as apps using KRecentFile.

Would it be acceptable to create a generic solution to this, for example
a) make KRecentFile not store the password (and maybe username?), and
b) make prettyURL not display password/username either, or eventually replace it by 'username:[hidden]'?

Uhm, david, are you reading this?

Comment 4 Anders Lund 2005-02-19 14:52:30 UTC

Fixed in cvs:
Don't show a password in the combobox history (remove it, so that later usage will result in a password prompt

  M +11 -6     katefileselector.cpp   1.48


--- kdebase/kate/app/katefileselector.cpp  #1.47:1.48
@@ -379,7 +379,12 @@ void KateFileSelector::cmbPathActivated(
 void KateFileSelector::cmbPathReturnPressed( const QString& u )
 {
+  kdDebug()<<"opening url "<<u<<endl;
+  KURL typedURL( u );
+  if ( typedURL.hasPass() )
+    typedURL.setPass( QString::null );
+
    QStringList urls = cmbPath->urls();
-   urls.remove( u );
-   urls.prepend( u );
+  urls.remove( typedURL.url() );
+  urls.prepend( typedURL.url() );
    cmbPath->setURLs( urls, KURLComboBox::RemoveBottom );
    dir->setFocus();