[Okular-devel] [Bug 267350] filling out a PDF form saves data to some file i ~/.kde/share/apps/okular/docdata/

Dan Armbrust daniel.armbrust.list at gmail.com
Mon Jan 9 21:57:01 GMT 2012


On Wed, Jan 4, 2012 at 11:26 PM,  <jordonwii at gmail.com> wrote:
> https://bugs.kde.org/show_bug.cgi?id=267350
>
>--- Comment #1 from Jackson Peacock <pickled kde pepperedpeacock org>  2011-04-04 03:11:36 ---
>I just noticed the same issue. I had stored some filled out forms on an
>encrypted drive. I ran into a bug where the fields I entered didn't weren't
>being displayed after being saved (not even an empty field). I figured the file
>had been corrupted so I copied the original blank form over the filled out one.
>When I opened it all the information I had entered into the form was there
>despite the file having been overwritten. After looking around I found it had
>been written to .kde/share/apps/okular/docdata - on an unencrypted drive. This
>was quite startling to me and not what I expected.
>
>I can understand if there are limitations to the PDF format that prevent you
>from storing the data in the PDF file itself, however you should at least
>inform the user of where the data is being stored before writing it.
>Preferably, it should be stored in the same directory as the PDF as well.
>
>--- Comment #2 from Jackson Peacock <pickled kde pepperedpeacock org>  2011-04-10 20:04:21 ---
>Another limitation of doing it this way is that it appears impossible to have
>multiple copies of the same form filled out differently, even if saved in
>different directories. For example, I filled out my tax forms, and then created
>a new directory with the copied blank forms to do my girlfriend's taxes.
>However, when I opened them they had my value stored in them.
>
>The workaround was to rename the forms and then edit them, but it would match
>user expectations better if each copy of the form had it's own set of values.
>
>Finally, I do think the priority on this bug should be higher as it relates to
>user privacy/security.
> --- Comment #3 from  <jordonwii gmail com>  2012-01-05 05:26:15 ---
> Agree with #2. I know the devs are aware of this because there are other issues
> regarding the opening files and having the form remain being filled out
> (intentional feature). However, unsure if they are aware of the security
> implications of this. Developers have any comment?
>

I, and several others have pointed this out to the developers of
okular nearly 2 years ago.

They are blind, naive, and dare I say foolish.  They call this a
"feature" and refuse to acknowledge that it creates security holes all
over the place.  They have shown no desire to even take the report
seriously.

http://mail.kde.org/pipermail/okular-devel/2010-February/006386.html

Meanwhile, anyone that has ever used okular to fill out a form with
sensitive information has had that information dumped, in clear text,
onto whatever computer they happened to be using.  Without their
knowledge, or permission.

KDE shouldn't even include this program until they fix this.

It's a bad, bad, bad design.  Shame on the okular developers for
continuing to ignore the problem.
___________________________________________________
This message is from the kde mailing list.
Account management:  https://mail.kde.org/mailman/listinfo/kde.
Archives: http://lists.kde.org/.
More info: http://www.kde.org/faq.html.




More information about the kde mailing list