Bug 501030 - KDE Plasma built-in Klipper saves clipboard history to Disk and only clears them on exit
Summary: KDE Plasma built-in Klipper saves clipboard history to Disk and only clears t...
Status: CONFIRMED
Alias: None
Product: plasmashell
Classification: Plasma
Component: Clipboard widget & pop-up (show other bugs)
Version: 6.3.2
Platform: Other Linux
: NOR major
Target Milestone: 1.0
Assignee: Plasma Bugs List
URL:
Keywords: regression
Depends on:
Blocks:
 
Reported: 2025-03-03 22:53 UTC by reports_go_brrr
Modified: 2025-03-06 21:05 UTC (History)
3 users (show)

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:

Attachments
Showcase (3.65 MB, video/mp4)
2025-03-03 22:55 UTC, reports_go_brrr 		Details
View All Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description reports_go_brrr 2025-03-03 22:53:09 UTC 
SUMMARY
KDE Plasma Build-in Clipboard manager saves text clipboard history to storage drive, and even hardened settings do not disable this behavior.
Works under X11 and Wayland.

STEPS TO REPRODUCE
1. Copy something to clipboard
2. Check System Tray to show up Clipboard icon
3. Click upon it and choose Settings pictogram
4. In General Configuration harden all settings alike:
4.1. Uncheck "Clipboard History"
4.2. Uncheck "Selection and Clipboard"
4.3. If possible, "Text selection" set to "Only when explicitly copied"
4.4. "Non-text selection" to "Never save in history"
5. Copy any text you want to
6. Go to ~/.local/share/klipper/data/
7. Choose most fresh folder, and click upon files until you'll find text you did copied earlier.

OBSERVED RESULT
KDE Plasma built-in Clipboard gives access to all programs in userspace with user priviledge unrestricted access to TEXT CLIPBOARD DATA. Which is sensitive if you don't use Password managers, because it does not spreads on password managers like KeePass.

EXPECTED RESULT
At least text clipboard must sit in RAM, not on storage drive.

SOFTWARE/OS VERSIONS
Operating System: EndeavourOS 
KDE Plasma Version: 6.3.2
KDE Frameworks Version: 6.11.0
Qt Version: 6.8.2
Kernel Version: 6.13.5-arch1-1 (64-bit)
Graphics Platform: X11

ADDITIONAL INFORMATION
Vanilla KDE Plasma, vanilla EndeavourOS, default settings.
Comment 1 reports_go_brrr 2025-03-03 22:55:33 UTC 
Created attachment 179091 [details]
Showcase
Comment 2 fanzhuyifan 2025-03-04 03:01:58 UTC 
Can reproduce on master.

Looking at the code, this seems like a regression introduced in https://invent.kde.org/plasma/plasma-workspace/-/merge_requests/4664 . I don't have a Plasma 6.2 image right now so I couldn't check for sure.

Previously[0] history is only saved when m_bKeepContents is set.

[0]: https://invent.kde.org/plasma/plasma-workspace/-/blob/a2da3dfac133df4881083203b183340908e1e860/klipper/klipper.cpp#L123
Comment 4 fanzhuyifan 2025-03-05 00:50:54 UTC 
(In reply to Fushan Wen from comment #3)
> Klipper will clear the history on exit and on initialization, which still
> matches "save history across desktop sessions".

However, always storing the clipboard on disk in a location with default read permissions poses a new unwanted risk for users who don't want to keep history across desktop sessions -- at least the textual selections shouldn't be exposed on disk like this.
Comment 5 Fushan Wen 2025-03-05 06:47:15 UTC 
(In reply to fanzhuyifan from comment #4)
> (In reply to Fushan Wen from comment #3)
> > Klipper will clear the history on exit and on initialization, which still
> > matches "save history across desktop sessions".
> 
> However, always storing the clipboard on disk in a location with default
> read permissions poses a new unwanted risk for users who don't want to keep
> history across desktop sessions -- at least the textual selections shouldn't
> be exposed on disk like this.

The clipboard history can also be accessed through AT-SPI and the D-Bus interface, so if users really care about their privacy, they should disable the clipboard widget.

*** This bug has been marked as a duplicate of bug 488485 ***
Comment 6 fanzhuyifan 2025-03-05 07:52:06 UTC 
(In reply to Fushan Wen from comment #5)
> The clipboard history can also be accessed through AT-SPI and the D-Bus
> interface, so if users really care about their privacy, they should disable
> the clipboard widget.

As discussed on matrix, access via AT-SPI can be restricted to only when the widget is active.

As for the D-Bus interface, searching through the code, it seems that getClipboardHistoryMenu, getClipboardContents, and getClipboardHistoryItem are only used in the appiumtests. Thus, it is questionable whether these D-Bus methods exposing the entire clipboard history should be enabled for the ordinary user.

In addition, the existence of alternate security vulnerabilities doesn't justify the introducing more security vulnerabilities.

> *** This bug has been marked as a duplicate of bug 488485 ***

IMO the referenced bug is about having the clipboard history available in the widget, and not about having the clipboard history unconditionally available on disk, which should be separately discussed and evaluated.
Comment 7 reports_go_brrr 2025-03-05 11:34:20 UTC Comment hidden (spam)
Comment 8 Bug Janitor Service 2025-03-05 14:32:07 UTC 
A possibly relevant merge request was started @ https://invent.kde.org/plasma/plasma-workspace/-/merge_requests/5292
Comment 9 Fushan Wen 2025-03-06 13:02:06 UTC 
While I agree with your concern,  the "Save history across desktop sessions" option still serves its purpose, so I changed the title.