Bug 437901

Summary: Klipper security risks
Product: [Plasma] plasmashell Reporter: medin <med.medin.2014>
Component: Clipboard widget & pop-upAssignee: Plasma Bugs List <plasma-bugs-null>
Status: RESOLVED DOWNSTREAM    
Severity: major CC: kde, nate
Priority: NOR    
Version First Reported In: 5.21.5   
Target Milestone: 1.0   
Platform: Other   
OS: Linux   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:

Description medin 2021-05-31 11:40:22 UTC 
Klipper save copied items permanently in "~/.local/share/klipper/history2.lst" without applying any kind of encryption, and those items persist across multiple logins/reboots, so any previously copied password will always be available and easy to find by any malicious script or program downloaded by user, this is considered high risk for most average users.

I know copying passwords should be done from specialized apps that clear copied passwords from clipboard after certain timeout, or not even use system clipboard manager and consume ctrl+v and paste events/actions to provide copied passwords. But in Plasma we lack any kind of integrated app or widget that manages saving/copying logins and passwords. In other systems that have simple clipboard manager this problem has lower risk because the clipboard is replaced after any new copy (because all happen in volatile memory) and it's cleared after rebooting or logging out so the high sensible data are lost.

NB: I found plasma-pass widget that could be improved to solve this problem but for now it clears the whole clipboard after certain timeout.
Comment 1 David Edmundson 2021-05-31 17:24:36 UTC 
This is configurable.

There is a mechanism by which sensitive data can be marked as not
being something to save in klipper which is used by keepassxc and
others. This is done by adding an additional mimetype tag when the
selection is saved to the clipboard.

Anything else is out of scope.
Comment 2 medin 2021-05-31 19:27:03 UTC 
(In reply to David Edmundson from comment #1)
> This is configurable.
I opened Klipper config dialog and couldn't find any option to do it, where can I find it ? What I want is to avoid Klipper from saving some sensitive info copied from an application (based on JavaFX) which needs heavy copy/paste actions to work.
Comment 3 David Edmundson 2021-05-31 21:02:05 UTC 
"save clipboard contents on exit"

If that doesn't work, please do let me know.
Comment 4 medin 2021-05-31 21:28:58 UTC 
(In reply to David Edmundson from comment #3)
> "save clipboard contents on exit"
> 
> If that doesn't work, please do let me know.

That option just clears the whole Klipper data after logging out. 
What I meant is if there's any way to exclude copied texts within a specific app from being saved or shown in Klipper like how KeePassXC does it ?
Comment 5 David Edmundson 2021-05-31 21:43:28 UTC 
Only through the mechanism keepassxc uses.
Klipper has no other way to determine the source of clipboard data.
Comment 6 medin 2021-05-31 22:42:30 UTC 
(In reply to David Edmundson from comment #5)
> Only through the mechanism keepassxc uses.
> Klipper has no other way to determine the source of clipboard data.

It's technically possible, on Mate I did it with CopyQ to avoid saving my copied data from specific apps like Writer, Eclipse... 
The problem with Plasma desktop is that Klipper cannot be disabled because it causes a loss of data when the origin app from which the data is copied is closed.
Comment 7 Nate Graham 2021-06-08 22:04:35 UTC 
You don't have to totally disable Klipper; just make it behave like the crude clipboards of other platforms by reducing the history size to 1. Then the password in the history will get cleared when another thing is copied.

I agree with David that you should tell the apps in question to mark sensitive clipboard data as such so everything works automatically.
Comment 8 medin 2021-06-08 23:19:42 UTC 
> you should tell the apps in question to mark
> sensitive clipboard data as such so everything works automatically.

It would be cool to have and option to exclude copied text from specific apps.
Comment 9 Nate Graham 2021-06-09 19:17:48 UTC 
It wouldn't help for everything though. For example I manage my passwords with a browser-addon-based system, so telling Klipper to exclude everything from Firefox would make no sense. Ultimately the solution is for apps to behave correctly, not for us to let the user work around broken apps in a zillion different ways. :)