Version: (using KDE KDE 3.3.1) Installed from: Debian testing/unstable Packages OS: Linux I opened a bug about this when it applied to Konq a few months ago... well it looks like it's happening in KATE now. It seems that if you attempt to access a site through a connection (ssh/ftp/http) that requires authentication and you use a "Location" like: http://myusername@mysite.com/ It will prompt you for a password and if you check the 'Save Password' box. If you type in: ftp://myusername:mypassword@mysite.com/ The same password you had told it to save earlier, it will log you in. The problem comes when the system stores those Locations in the location history, so basically other people using the computer while the active account is still logged into KDE can see passwords. I'd expect that with or without KDEWallet, access to password-protected resources would trigger the system to use the saved password or if it is using the saved password to refresh and load the resource.
Created attachment 8397 [details] passwords shown in location selection dropdown
you can refer to the original bug I filled on KONQ for their solution/patch. http://bugs.kde.org/show_bug.cgi?id=82281
AFAICS, all applications displaying the URL in the title bar would suffer, as well as apps using KRecentFile. Would it be acceptable to create a generic solution to this, for example a) make KRecentFile not store the password (and maybe username?), and b) make prettyURL not display password/username either, or eventually replace it by 'username:[hidden]'? Uhm, david, are you reading this?
Fixed in cvs: Don't show a password in the combobox history (remove it, so that later usage will result in a password prompt M +11 -6 katefileselector.cpp 1.48 --- kdebase/kate/app/katefileselector.cpp #1.47:1.48 @@ -379,7 +379,12 @@ void KateFileSelector::cmbPathActivated( void KateFileSelector::cmbPathReturnPressed( const QString& u ) { + kdDebug()<<"opening url "<<u<<endl; + KURL typedURL( u ); + if ( typedURL.hasPass() ) + typedURL.setPass( QString::null ); + QStringList urls = cmbPath->urls(); - urls.remove( u ); - urls.prepend( u ); + urls.remove( typedURL.url() ); + urls.prepend( typedURL.url() ); cmbPath->setURLs( urls, KURLComboBox::RemoveBottom ); dir->setFocus();