Prompt before executing command stored in the URL field could be disabled

[matjon]

The URL field of a database entry may contain commands, for example cmd://gedit. KeePassXC normally asks for a confirmation before executing the command, but this could be disabled by adding an "additional attribute" to the entry, which is stored in the database. If the user opened a specifically crafted database with a malicious or "funny" URL, the confirmation prompt could be disabled this way and would not be shown.

This defeats the point of having the confirmation prompt at all.

Steps to Reproduce

1. Open the dialog to create a new entry in a database.
2. Fill in the fields. Set the URL to something funny or malicious, for example cmd://reboot.
3. Click on "Advanced" on the left. Create a new "Additional attribute" with name "_EXEC_CMD" and value "1".
4. Save the entry and the database.
5. Transfer the database to a victim's computer and trick him into opening the URL via Ctrl+Shift+U.

Expected Behavior

KeePassXC should display a prompt before executing the command in the URL.

Current Behavior

There is no prompt.

Possible Solution

• Always ask the user for a confirmation before executing the command (remove the option "Remember the choice" in the confirmation window).

• Store names of allowed applications in ~/.config/keepassxc/keepassxc.ini. Of course this would reveal the command names, but in most cases these are not sensitive. This should be made clear to the user in the confirmation window.

Context

Frequently, some passwords are shared among multiple people in an organization (administration credentials for printer devices, for instance). Setting the URL to something funny (e.g. cmd://reboot) would not be inconceivable and tracing the joker down would not be simple in many cases. KeePassXC has some support for sharing credentials in the database ( https://github.com/keepassxreboot/keepassxc/blob/develop/docs/QUICKSTART.md#using-sharing ).

Debug Info

KeePassXC 2.5.0 Revision: 1ab8a9f

Operating system: Linux CPU architecture: amd64 kernel with 32-bit userspace Kernel: 5.3.8

[droidmonkey]

Sure if you are sharing a database then you could get "tricked". They also have all of your passwords too and can do far worse then what you propose here. This feature is not meant to be secure when it comes to shared databases.

[matjon]

As I have written, sometimes passwords and password databases are shared among several people:

Frequently, some passwords are shared among multiple people in an organization (administration credentials for printer devices, for instance). Setting the URL to something funny (e.g. cmd://reboot) would not be inconceivable and tracing the joker down would not be simple in many cases. KeePassXC has some support for sharing credentials in the database ( https://github.com/keepassxreboot/keepassxc/blob/develop/docs/QUICKSTART.md#using-sharing ).