D12539: Klipper: Do not insert secret data into history

Robert Hoffmann noreply at phabricator.kde.org
Thu Apr 26 10:41:44 UTC 2018 

hoffmannrobert created this revision.
Restricted Application added a project: Plasma.
Restricted Application added a subscriber: plasma-devel.
hoffmannrobert requested review of this revision.

REVISION SUMMARY
  Password manager tools like Keepassx offer an option to clear
  the clipboard/selection after some time, e.g. 10 seconds,
  after the password was copied to the clipboard. This works fine,
  but unfortunately the password isn't removed from Klipper's
  history. This is a great security risk, which may make the use
  of password managers impossible.
  
  This patch changes Klipper::applyClipChanges(const QMimeData* clipData)
  where clipboard data is inserted into history. If the data has an
  additional mime type 'x-kde-passwordManagerHint', it is not inserted
  into history.
  
  For this to work as designed, password managers should add the
  additional mime type 'x-kde-passwordManagerHint' to the mimeData
  like following when copying a password to the clipboard:
  
  QMimeData* mimeDataClipboard = new QMimeData();
  const QString secretStr = "secret";
  QByteArray secretBa = secretStr.toUtf8();
  mimeDataClipboard->setText(password);  // this is the password to copy
  mimeDataClipboard->setData("x-kde-passwordManagerHint", secretBa);
  clipboard->setMimeData(mimeDataClipboard, QClipboard::Clipboard);
  
  if (clipboard->supportsSelection()) {
  
    // we cannot use the same QMimedata, it's already owned by clipboard
    QMimeData* mimeDataSelection = new QMimeData();
    mimeDataSelection->setText(password); // this is the password to copy
    mimeDataSelection->setData("x-kde-passwordManagerHint", secretBa);
    clipboard->setMimeData(mimeDataSelection, QClipboard::Selection);
  
  }

REPOSITORY
  R120 Plasma Workspace

BRANCH
  master

REVISION DETAIL
  https://phabricator.kde.org/D12539

AFFECTED FILES
  klipper/klipper.cpp

To: hoffmannrobert
Cc: plasma-devel, ragreen, Pitel, ZrenBot, lesliezhai, ali-mohamed, jensreuterberg, abetts, sebas, apol, mart
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/plasma-devel/attachments/20180426/a1ea8098/attachment-0001.html>

More information about the Plasma-devel mailing list