Review Request: New Kwallet scheme for Khtml user-password form saving (enabling multiple accounts per site)
Martin Sandsmark
sandsmark at samfundet.no
Tue Aug 10 02:48:23 BST 2010
On Thu, Aug 05, 2010 at 05:42:45PM -0000, Ingo Klöcker wrote:
> > All account usernames on the site are stored as PASSWORD value in the FormData
> > folder of Network KWallet with the key:
> > accounts_SITE
> > where SITE stands for host part of the URL.
> I think this is a potential security problem. Let's say there are two
> completely different websites hosted on the same host like
> […]
> Either I misunderstood what your patch does or your patch is IMHO unacceptable because of the above.
Yes, that's a regression security-wise, as KHTML currently uses the full URL
plus the form name.
--
Martin Sandsmark
IT-Komiteen, Samfundet
:wq
More information about the kde-core-devel
mailing list