[Okular-devel] [Bug 267350] filling out a PDF form saves data to some file i ~/.kde/share/apps/okular/docdata/

Kevin Krammer kevin.krammer at gmx.at
Sun Jan 15 16:14:58 GMT 2012


On Saturday, 2012-01-14, Dan Armbrust wrote:
> On Fri, Jan 13, 2012 at 11:06 AM, Kevin Krammer <kevin.krammer at gmx.at> 
wrote:
> > When introducing a new party to a converstation, in this case the KDE
> > user mailinglist, it is usually very helpful to provide context to said
> > new party.
> > 
> > When the discussion has happened on one mailinglist so far, a good way to
> > do that is to provide a link to the discussion start in the original
> > mailinglist's archive.
> 
> Apologies, I thought I included the kde list in the initial posts,
> which had the summary info.  It must not have gone through.

Ah, I see. Thanks for the links.

> In short,if you:
> 
> Download a PDF.  Fill in personal information.  Print it.  Close it.
> Never once even hitting save...
> 
> Okular dumps every bit of data that you typed into a clear text file
> in a hidden directory.  At a minimum, its really bad behavior.  At
> worst, on say, a library terminal, it is opening up every unsuspecting
> user to having their information stolen.

Hmm. Most software with autocompletion support does that. E.g. browsers, email 
programs.
So my guess is that the completion data is not stored in kwallet, like e.g. 
for Konqueror?

> There is no warning, notice, or any such clue within ocular that it is
> doing this.
>
> Its a pretty basic user-interface paradigm that you shouldn't store
> data like that without the users permission.

Well, I've to admit I've never seen any program doing that. When I fill in 
forms in e.g. Firefox or Konqueror, it doesn't say anything along those lines 
either, but when I am filling in the same form later again, it somehow can 
propose reasonable values for certain fields. So my guess is it also stores my 
previous input somewhere.
Hopefullly locally like Okular and not uploading to the server!

> Especially in an application that handles PDF files, which are used
> for private and personal stuff all the time.

See above. At least most of my online bookings contain personal data. How do 
you handle those cases?

Anyway, I agree that the completion data should probably be saved in an 
encrypted file, e.g. KWallet, instead of plain text to mitigate the exposing 
data in case the security of the user's local storage is compromised.

However I don't see any facts supporting the claim of "virus like behavior".
IMHO that sounds a bit like trying to trigger an emotional rather than an 
rational response in readers of that posting, which ultimately tends to hurt 
the cause more than it helps.
E.g. other supportes of the cause might find out they have been tricked and 
withdraw their support inspite of still being concerned about core issues.

I would recommend lobbying for secure storage of form completion data like 
other form completing programs do.

Cheers,
Kevin
-- 
Kevin Krammer, KDE developer, xdg-utils developer
KDE user support, developer mentoring
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.kde.org/pipermail/kde/attachments/20120115/7f01f06d/attachment.sig>
-------------- next part --------------
___________________________________________________
This message is from the kde mailing list.
Account management:  https://mail.kde.org/mailman/listinfo/kde.
Archives: http://lists.kde.org/.
More info: http://www.kde.org/faq.html.


More information about the kde mailing list