Bug 335668 - Dialog showing plaintext password while opening a remote (ftp) file in gnome application
Summary: Dialog showing plaintext password while opening a remote (ftp) file in gnome ...
Status: CONFIRMED
Alias: None
Product: krusader
Classification: Applications
Component: net-connection (show other bugs)
Version: 2.4.0-beta3 "Single Step"
Platform: Ubuntu Linux
: HI critical
Target Milestone: ---
Assignee: Krusader Bugs Distribution List
URL:
Keywords:
Depends on: 371796
Blocks:
  Show dependency treegraph
 
Reported: 2014-06-01 23:13 UTC by simone.ted
Modified: 2018-05-06 00:15 UTC (History)
5 users (show)

See Also:
Latest Commit:
Version Fixed In:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description simone.ted 2014-06-01 23:13:57 UTC
Trying to open a remote file from a ftp server in gnome applications (e.g. pdfs in evince, txts in gedit, etc.), krusader launches the application through this command (seen in ps output):
>>> /usr/bin/gedit ftp://user:{{password}@172.17.2.1:21/folder/file.txt
where {{password}} is actually the password I previously entered in krusader to open the connection

Then the classical gnome password dialog appears saying:
"Enter password for user:{{password}@172.17.2.1:21"
displaying the password

Reproducible: Always

Steps to Reproduce:
1.Connect to a pasword-protected ftp server
2.Open a file using a gnome application
3.
Actual Results:  
Gnome password dialog shown the password in plaintext

Expected Results:  
Don't show the password (don't include it in the command given to open the application)

System environment:
Ubuntu 13.04
Gnome 3.10.4
Comment 1 simone.ted 2014-06-02 09:45:54 UTC
EDIT:
It's Ubuntu 14.04, sorry
Comment 2 Jan Lepper 2015-10-10 13:07:44 UTC
Note to self and other developers:
This is most likeley caused by not using KUrl::prettyUrl() / QUrl::toDisplayString() which remove the password from the url string.
Needs separate fix in kde4 branch and master.

Places to check for right usage of KUrl/QUrl:
Panel/panelfunc.cpp
UserAction/expander.cpp
and probably others !
Comment 3 Martin Kostolný 2016-03-13 12:36:45 UTC
Hi! I cannot replicate this issue on krusader-git. @simone.ted can you confirm that it is fixed?
Comment 4 Alex Bikadorov 2016-10-24 19:55:30 UTC
Still in master. Must be fixed!
Comment 5 Alex Bikadorov 2016-10-25 15:56:52 UTC
The problem is actually everywhere. If the initial ftp connection is made by writing the password in plain text into the navigation bar ("ftp://user:password@server.com") the password is never removed. 
* VFS uses the URL with the password while navigating  on the ftp server
* all file URLs contain the password, it is not removed when opening files or copying them to clipboard
* sometimes debug output with the URL and password is printed

Dolphin has exactly the same problems.

Removing the password from all URLs is not that simple cause the password is never saved and browsing wont work after the first directory listing without entering the password again.

The best solution would be if the KIO listing job saves the password internally and it can be removed after the first connection. This is currently done anyway if no password is provided and the authentication dialog appears.
Comment 6 Alex Bikadorov 2016-10-28 19:12:32 UTC
I don't think we can solve this on our own.
* either we remove the password from the URL and the user has to enter it again
* or we stay with the current situation leaving the password in plain text everywhere. 

The latter case is highly insecure and we should at least tell the user about it. Maybe some warning dialog appearing or something.