383144 – Notification pictures get stored on /tmp

Bug 383144 - Notification pictures get stored on /tmp

Summary: Notification pictures get stored on /tmp

Status:	RESOLVED FIXED

Alias:	None

Product:	kdeconnect
Classification:	Applications
Component:	common (show other bugs)
Version:	unspecified
Platform:	Other Linux

Importance:	NOR normal
Target Milestone:	---
Assignee:	Albert Vaca Cintora

URL:
Keywords:

Depends on:
Blocks:

Reported:	2017-08-04 23:58 UTC by Aleix Pol
Modified:	2018-01-16 22:00 UTC (History)
CC List:	3 users (show)

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Aleix Pol 2017-08-04 23:58:10 UTC

If I go to /tmp/kdeconnect I get to see which friends messaged me. This is wrong because this is personal data:
- some people encrypt their home folder because of such privacy concerns
- on shared systems one would get to see their each other's acquaintances

Comment 1 Albert Vaca Cintora 2017-08-05 10:40:07 UTC

Every plugin has a storage directory available to it. Maybe we can use that? Or do you thin it would be better to not store images at all, and just have them in memory?

Comment 2 Thomas Posch 2017-08-05 13:58:58 UTC

To me this sounds more like a permission problem.
Remove read/write/execute permissions from group/other and this should be fixed.

Note: all other files in /tmp belonging to my user already have the permissions set this way

Comment 3 Aleix Pol 2018-01-16 22:00:47 UTC

commit 7e7aa6df3fe599e73272be86543fc9f43a2c17d2
Author: Nicolas Fella <nicolas.fella@gmx.de>
Date:   Fri Dec 29 18:38:09 2017 +0100

    Fix information leak via /tmp
    
    Summary: BUG: 383144
    
    Reviewers: #kde_connect, apol, albertvaka
    
    Reviewed By: #kde_connect, apol, albertvaka
    
    Subscribers: thomasp, apol, #kde_connect, albertvaka
    
    Tags: #kde_connect
    
    Differential Revision: https://phabricator.kde.org/D7146