Version: 2.3.1 (using KDE 4.4.4) OS: Linux /home/naught101/.kde/share/config/amarokrc contains passwords for mysql, and all web services in plaintext. amarokrc is word readable by default, so this is a potential security threat, especially as the mysql password on many systems is the same as the first user account password, which usually has sudo access (eg. ubuntu). Reproducible: Didn't try
This is still an issue in 2.4-GIT.
Interesting, for me access rights are set correctly: ls -al ~/.kde4/share/config/amarokrc -rw------- 1 sven users 15802 4. Jul 14:49 /home/sven/.kde4/share/config/amarokrc Also a survey in #amarok on IRC showed exactly 0 people with different file access rights. So, is that one still an issue at all? Maybe it got fixed by KConfig at some point?
Hrm... appears to be resolved, yes. only readable by the owner, and it also contains no passwords, although there is still this section: [Service_Mp3tunes] email= harmonyEmail= harmonyEnabled=false identifier=1C75...0420 partnerToken=48...20 password= pin= (I don't use Mp3tunes). I still think the file shouldn't contain plaintext passwords, just in case the user account is compromised.
Converting this to a junior job. This will require making the magnatune service using KWallet. This is akin to the Last.fm service implementation.
I've more or less completed this. Just checking over my code and will submit it to the reviewboard when done.
Andrzej: any news on this?
Instead of just fixing this it was decided (on the mailing lists) that I'd write a common password storage for Amarok which all plugins will then use. Due to exams I currently don't have time to complete it (I'm also working on a GSOC project with Libreoffice which takes up a fair bit of time) -- I'm going to hopefully fix this in the middle of June (i.e. once exams are over). (Ps. this common password storage would also fix 277121. It uses KWallet if available, or gnome-keyring and will be expanded to other keyrings.)
(In reply to comment #7) > Instead of just fixing this it was decided (on the mailing lists) that I'd > write a common password storage for Amarok which all plugins will then use. > Due to exams I currently don't have time to complete it (I'm also working on > a GSOC project with Libreoffice which takes up a fair bit of time) -- I'm > going to hopefully fix this in the middle of June (i.e. once exams are over). > > (Ps. this common password storage would also fix 277121. It uses KWallet if > available, or gnome-keyring and will be expanded to other keyrings.) Any news on this?
(In reply to comment #7) > Instead of just fixing this it was decided (on the mailing lists) that I'd > write a common password storage for Amarok which all plugins will then use. > Due to exams I currently don't have time to complete it (I'm also working on > a GSOC project with Libreoffice which takes up a fair bit of time) -- I'm > going to hopefully fix this in the middle of June (i.e. once exams are over). > > (Ps. this common password storage would also fix 277121. It uses KWallet if > available, or gnome-keyring and will be expanded to other keyrings.) Any news on this, Andrzej?
Reopening. Since there were no news from the previous developer this Junior Job is up for a taker again.
I am picking it up :)
Patch uploaded. Please review :) https://git.reviewboard.kde.org/r/110101/
New review: https://git.reviewboard.kde.org/r/110426/ (also from Vedant)
Still not fixed in amarok v2.8.0
I will work on this bug.
(In reply to Adriano R. Lopes from comment #15) > I will work on this bug. Nice, please get in touch with us on the amarok-devel@kde.org mailing list