SUMMARY A screen locker shouldn't allow the user to use the "undo" function of the password input text. The scenario is the following: the user starts typing the password but before hitting "enter" decides to walk away from the computer and no longer unlock it. So it will clear the password from the input text (using backspace key) and walk away. After this, an adversary getting physical access, can simply hit CTRL+Z and then click on the "unhide/show password" button. This way the partial/entire password will be revealed. STEPS TO REPRODUCE 1. Lock the screen (or run `/usr/lib/x86_64-linux-gnu/libexec/kscreenlocker_greet --testing`) 2. Type the password but don't hit enter 3. Delete the password 4. Hit CTRL+Z OBSERVED RESULT The password is back in the text input area. EXPECTED RESULT The password should not be there. SOFTWARE/OS VERSIONS KDE Plasma Version: 5.25.5 KDE Frameworks Version: 5.98.0 Qt Version: 5.15.6 ADDITIONAL INFORMATION I've tested on the default Windows and Mac lockers and the "undo" does not work.
Thank you for the bug report! Please note that Plasma 5.25.5 is not supported for much longer by KDE; supported versions are 5.24, and 5.26 or newer. If at all possible please upgrade to a supported version and verify that the bug is still happening there. If you're unsure how to do this, contact your distributor about it.
I've tested in two VMs: Kubuntu 22.04.1 KDE Plasma Version: 5.24.4 and KDE Neon User edition KDE Plasma Version: 5.26.5 It seems that the bug I described is present in Kubuntu and *not* in KDE Neon. I think this means it's not a bug anymore and this bug can be closed.
Yes, it has been fixed meanwhile *** This bug has been marked as a duplicate of bug 453828 ***