search

IJHack / QtPass

QtPass is a multi-platform GUI for pass, the standard unix password manager.
https://qtpass.org/
GNU General Public License v3.0
1.01k stars 158 forks source link

Clipboard clearing timer does not remove password from KDE klipper #348

Open kreutpet opened 6 years ago

kreutpet commented 6 years ago

many thanks to create that tool ! Since i move to pass i am using it on daily base and love it.

concerning the clipboard clearing feature i recognized that the functionality actually does not remove the copied password from the klipper KDE clipboard utility. The "Clipboard cleared" is shown in the qt status ui. The copied password remains in the history. I think is is actually a security risk. as the klipper entry needs to be manually cleared.

Not sure if the klipper provides a dbus interfacce to also remove the Clipboard entry been coming from qtpass. Can klipper been configured to not receive the clipboard from qtpass? I am also sure the get complicated as the klipper is only available in KDE.

thx

kreutpet commented 6 years ago

i looked a bit deeper into the klipper configuration i found the option to "Disable Actions for windows of type WM_CLASS" i followed the instruction given and got the following info from qtpass WM_CLASS(STRING) = "qtpass", "QtPass"

then i added a new entry in the klipper configuration but unfortunately was not able to get the intended behavior.

anyone got klipper configured to ignore actions from qtpass?

annejan commented 6 years ago

That sounds like something to add to the FAQ and or README

kreutpet commented 6 years ago

well , i played around with klipper and did not find any solution to prevent passwords copied into the klipper to be shown in the klipper history.

If any body has same experience or has solution please share.

For password used in www i recommend using firefox and passff , which give direct access to the pass without a copy past

kreutpet commented 6 years ago

this seems to be related Bug 334646 / Wish 105033

same argumentation , this is considered a security flaw.

Should we fill another bug ?

5bentz commented 6 years ago

This issue is not specific to KDE: same behaviour with XFCE4 clipman. For reference: Xfce - blacklist passwords 10112

equaeghe commented 6 years ago

It should be possible, as one developer has done it for his proof-of-concept ‘plasma pass’: https://www.dvratil.cz/2018/05/plasma-pass/

More specifically, at the end of https://cgit.kde.org/scratch/dvratil/plasma-pass.git/tree/plugin/passwordprovider.cpp are the functions that he defines for doing it. He uses klipper-specific code.

rickysarraf commented 5 years ago

I am not sure about qtpass but pass does clear up the Klipper clipboard. In fact, it wipes out the entire Klipper history that was loaded.

kreutpet commented 5 years ago

yes i can confirm that the terminal interface of pass does clean the clipboard in KDE. not used plasma pass yet. i will give it a try

equaeghe commented 5 years ago

yes i can confirm that the terminal interface of pass does clean the clipboard in KDE.

That is no reason to close this issue. QtPass still doesn't clear the password from the clipboard. (Moreover, clearing the entire Klipper history is not exactly proper behavior.) Please reopen.

kreutpet commented 5 years ago

i looked into plasma-pass -> link

how could this lines of code go into qtpass? I am not so experienced in c++ but how to handle the kde dependency when building qtpass for none KDE/klipper environment?

greywood commented 5 years ago

if the Copy Password button in QTPass used the 'pass -c' command to copy the password then a custom set 'pass' command could point to a wrapper script like this:

#!/bin/bash

# stop the password from being recorded by clipman
xfconf-query -c xfce4-panel -p /plugins/clipman/tweaks/inhibit -s true

/usr/bin/pass "$@"

# TODO - trap this command so clipman is ALWAYS restored back to functionality
xfconf-query -c xfce4-panel -p /plugins/clipman/tweaks/inhibit -s false

This script would be for clipman on xfce4

fabianski7 commented 4 years ago

any news about this?

matthiasbeyer commented 3 years ago

I'm experiencing the same issue.

equaeghe commented 1 year ago

Relevant upstream bug: https://bugs.kde.org/show_bug.cgi?id=334646

ahippo commented 1 year ago

Relevant upstream bug: https://bugs.kde.org/show_bug.cgi?id=334646

The bug is now closed, and the latest comment there says:

KeepassXC sends copied passwords with custom mime data (application/x-nspasteboard-concealed-type on OS X, x-kde-passwordManagerHint on Linux, and ExcludeClipboardContentFromMonitorProcessing on Windows) to hint for passwords not to be stored in history, [snip]

Klipper supports the x-kde-passwordManagerHint flag AFAIK, so password managers should be setting this flag when copying sensitive data.

So, it sounds like there should be a way for QtPass to also set the proper hints/flags.

Another approach employed by pass itself is to

  1. Save existing clipboard contents
  2. Copy the password into the clipboard
  3. Wait the specified auto-clear timeout
  4. Save existing clipboard contents again (in case someone copied something else while we were waiting)
  5. Clear all clipboard history with qdbus org.kde.klipper /klipper org.kde.klipper.klipper.clearClipboardHistory
  6. Restore the latest saved entry (not the password) back into the clipboard

https://github.com/zx2c4/password-store/blob/1.7.4/src/password-store.sh#L175

It's essentially a workaround, but it works pretty well.