[Okular-devel] [Bug 267350] filling out a PDF form saves data to some file i ~/.kde/share/apps/okular/docdata/
Lydia Pintscher
lydia at kde.org
Wed Jan 11 09:19:32 UTC 2012
Hi,
> ---------- Forwarded message ----------
> From: Dan Armbrust <daniel.armbrust.list at gmail.com>
> To: bug-control at bugs.kde.org, Okular development <okular-devel at kde.org>, jordonwii at gmail.com, pickled.kde at pepperedpeacock.org, kde at mail.kde.org
> Cc:
> Date: Mon, 09 Jan 2012 15:57:01 -0600
> Subject: Re: [Okular-devel] [Bug 267350] filling out a PDF form saves data to some file i ~/.kde/share/apps/okular/docdata/
> On Wed, Jan 4, 2012 at 11:26 PM, <jordonwii at gmail.com> wrote:
>> https://bugs.kde.org/show_bug.cgi?id=267350
>>
>>--- Comment #1 from Jackson Peacock <pickled kde pepperedpeacock org> 2011-04-04 03:11:36 ---
>>I just noticed the same issue. I had stored some filled out forms on an
>>encrypted drive. I ran into a bug where the fields I entered didn't weren't
>>being displayed after being saved (not even an empty field). I figured the file
>>had been corrupted so I copied the original blank form over the filled out one.
>>When I opened it all the information I had entered into the form was there
>>despite the file having been overwritten. After looking around I found it had
>>been written to .kde/share/apps/okular/docdata - on an unencrypted drive. This
>>was quite startling to me and not what I expected.
>>
>>I can understand if there are limitations to the PDF format that prevent you
>>from storing the data in the PDF file itself, however you should at least
>>inform the user of where the data is being stored before writing it.
>>Preferably, it should be stored in the same directory as the PDF as well.
>>
>>--- Comment #2 from Jackson Peacock <pickled kde pepperedpeacock org> 2011-04-10 20:04:21 ---
>>Another limitation of doing it this way is that it appears impossible to have
>>multiple copies of the same form filled out differently, even if saved in
>>different directories. For example, I filled out my tax forms, and then created
>>a new directory with the copied blank forms to do my girlfriend's taxes.
>>However, when I opened them they had my value stored in them.
>>
>>The workaround was to rename the forms and then edit them, but it would match
>>user expectations better if each copy of the form had it's own set of values.
>>
>>Finally, I do think the priority on this bug should be higher as it relates to
>>user privacy/security.
>> --- Comment #3 from <jordonwii gmail com> 2012-01-05 05:26:15 ---
>> Agree with #2. I know the devs are aware of this because there are other issues
>> regarding the opening files and having the form remain being filled out
>> (intentional feature). However, unsure if they are aware of the security
>> implications of this. Developers have any comment?
>>
>
> I, and several others have pointed this out to the developers of
> okular nearly 2 years ago.
>
> They are blind, naive, and dare I say foolish. They call this a
> "feature" and refuse to acknowledge that it creates security holes all
> over the place. They have shown no desire to even take the report
> seriously.
>
> http://mail.kde.org/pipermail/okular-devel/2010-February/006386.html
>
> Meanwhile, anyone that has ever used okular to fill out a form with
> sensitive information has had that information dumped, in clear text,
> onto whatever computer they happened to be using. Without their
> knowledge, or permission.
>
> KDE shouldn't even include this program until they fix this.
>
> It's a bad, bad, bad design. Shame on the okular developers for
> continuing to ignore the problem.
Dan, I understand you are frustrated. But this here doesn't help to
solve the problem. In fact it makes it a lot less likely that Albert
or one of the other Okular developers will work on it. So ultimately
you are hurting your case.
Now let's move this forward constructively, please. There are several
ways to do this:
* Work on it yourself if you have the skills.
* Convince someone else to work on it.
* Wait until Albert or one of the other Okular developers finds time
for it. I am sure they have registered by now that this is important
to you.
Cheers
Lydia
--
Lydia Pintscher
KDE Community Working Group / KDE e.V. board member
http://kde.org - http://about.me/lydia.pintscher
More information about the Okular-devel
mailing list