Review Request: New Kwallet scheme for Khtml user-password form saving (enabling multiple accounts per site)

Martin Sandsmark sandsmark at
Tue Aug 10 02:48:23 BST 2010

On Thu, Aug 05, 2010 at 05:42:45PM -0000, Ingo Klöcker wrote:
> > All account usernames on the site are stored as PASSWORD value in the FormData
> > folder of Network KWallet with the key:
> >   accounts_SITE
> > where SITE stands for host part of the URL.
> I think this is a potential security problem. Let's say there are two
> completely different websites hosted on the same host like
> […]
> Either I misunderstood what your patch does or your patch is IMHO unacceptable because of the above.

Yes, that's a regression security-wise, as KHTML currently uses the full URL
plus the form name.

Martin Sandsmark 
IT-Komiteen, Samfundet 

More information about the kde-core-devel mailing list