Bug 93783

Summary: ftp:// fish:// and other password protected protocols show password in address bar
Product: [Applications] kate Reporter: Ryan Sinn <ryan>
Component: generalAssignee: KWrite Developers <kwrite-bugs-null>
Status: RESOLVED FIXED    
Severity: normal CC: carstenlohrke
Priority: NOR    
Version First Reported In: unspecified   
Target Milestone: ---   
Platform: Debian testing   
OS: Linux   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:
Attachments: passwords shown in location selection dropdown

Description Ryan Sinn 2004-11-23 12:39:16 UTC 
Version:            (using KDE KDE 3.3.1)
Installed from:    Debian testing/unstable Packages
OS:                Linux

I opened a bug about this when it applied to Konq a few months ago... well it looks like it's happening in KATE now.

It seems that if you attempt to access a site through a connection (ssh/ftp/http) that requires authentication and you use a "Location" like:

http://myusername@mysite.com/

It will prompt you for a password and if you check the 'Save Password' box.

If you type in:

ftp://myusername:mypassword@mysite.com/

The same password you had told it to save earlier, it will log you in.

The problem comes when the system stores those Locations in the location history, so basically other people using the computer while the active account is still logged into KDE can see passwords.

I'd expect that with or without KDEWallet, access to password-protected resources would trigger the system to use the saved password or if it is using the saved password to refresh and load the resource.
Comment 1 Ryan Sinn 2004-11-23 12:40:25 UTC 
Created attachment 8397 [details]
passwords shown in location selection dropdown
Comment 2 Ryan Sinn 2004-11-23 12:41:11 UTC 
you can refer to the original bug I filled on KONQ for their solution/patch.


http://bugs.kde.org/show_bug.cgi?id=82281
Comment 3 Anders Lund 2004-11-23 13:10:55 UTC 
AFAICS, all applications displaying the URL in the title bar would suffer, as well as apps using KRecentFile.

Would it be acceptable to create a generic solution to this, for example
a) make KRecentFile not store the password (and maybe username?), and
b) make prettyURL not display password/username either, or eventually replace it by 'username:[hidden]'?

Uhm, david, are you reading this?
Comment 4 Anders Lund 2005-02-19 14:52:30 UTC 
Fixed in cvs:
Don't show a password in the combobox history (remove it, so that later usage will result in a password prompt

  M +11 -6     katefileselector.cpp   1.48


--- kdebase/kate/app/katefileselector.cpp  #1.47:1.48
@@ -379,7 +379,12 @@ void KateFileSelector::cmbPathActivated(
 void KateFileSelector::cmbPathReturnPressed( const QString& u )
 {
+  kdDebug()<<"opening url "<<u<<endl;
+  KURL typedURL( u );
+  if ( typedURL.hasPass() )
+    typedURL.setPass( QString::null );
+
    QStringList urls = cmbPath->urls();
-   urls.remove( u );
-   urls.prepend( u );
+  urls.remove( typedURL.url() );
+  urls.prepend( typedURL.url() );
    cmbPath->setURLs( urls, KURLComboBox::RemoveBottom );
    dir->setFocus();