search

owncloud / client

🖥️ Desktop Syncing Client for ownCloud
GNU General Public License v2.0
1.4k stars 662 forks source link

KDE Wallet and Password timeout Usability/Security Problem #3336

Closed qutorial closed 9 years ago

qutorial commented 9 years ago

Hello.

I would like to report an annoying usability problem on KDE, which could potentially lead to a security problem.

I am using KUbuntu 14.04 and ownCloud client v. 1.8.

Right after the system startup KDE Wallet asks for the password to unlock. I have owncloud credentials stored there. Unfortunately, owncloud client waits to few for the password to be entered in KWallet and presents its own password dialog. After that it ignores the opened KWallet, and I have to restart the client before it can read the password from KWallet again. I am restarting the client every time I boot the system and entering the KWallet password.

The desired behavior: Wait until the password is entered into KWallet, then get the password for ownCloud from KWallet. Instead of a timeout, monitor, if the KWallet dialog is cancelled and KWallet remains closed intentionally, and not because I was slow to enter the password.

The security problem might come, as people will not use KWallet, and will have a simple password, or store the password elsewhere insecurely.

Ready to provide any additional information.

Thank you in advance!

qutorial commented 9 years ago

Once more using the template:

Expected behaviour

After the system startup wait until the password is entered into KWallet, then get the password for ownCloud from KWallet. Instead of a timeout, monitor, if the KWallet dialog is cancelled and KWallet remains closed intentionally, and not because I was slow to enter the password.

Actual behaviour

Right after the system startup KDE Wallet asks for the password to unlock. I have owncloud credentials stored there. Unfortunately, owncloud client waits to few for the password to be entered in KWallet and presents its own password dialog. After that it ignores the opened KWallet, and I have to restart the client before it can read the password from KWallet again. I am restarting the client every time I boot the system and entering the KWallet password.

Steps to reproduce

  1. Use KUbuntu and KWallet
  2. Store the ownCloud client in KWallet (Happens automatically after you type the password in first time)
  3. Reboot the system making sure that the client starts on the startup.
  4. Observe the KWallet dialog, don't enter anything, walk out for a minute, take a coffe
  5. ownCloud client presents a password dialog, and never asks KWallet for the password until you close it, and start over again.
  6. Type the pass into KWallet

Here owncloud client should login but it doesn't

  1. Quit ownCloud client
  2. Start ownCloud client, it will login.

Server configuration

I am not sure it is relevant.

Client configuration

Client version: 1.8.

Operating system: KUbuntu 14.04

OS language: English

Installation path of client: ?

Logs

Log Does not change after the password window wrongly pops up.

06-12 12:41:35:437 0x2222c30 Checking server and authentication 06-12 12:41:35:440 0x2222c30 Trying to look up system proxy 06-12 12:41:35:486 0x2222c30 Bus::open: Can not get ibus-daemon's address. 06-12 12:41:35:487 0x2222c30 IBusInputContext::createInputContext: no connection to ibus-daemon 06-12 12:41:35:440 0x27302a0 virtual void OCC::SystemProxyRunnable::run() Starting system proxy lookup 06-12 12:41:35:488 0x2222c30 void OCC::ConnectionValidator::systemProxyLookupDone(const QNetworkProxy&) Setting QNAM proxy to be system proxy "2://:0" 06-12 12:41:35:514 0x2222c30 !!! OCC::CheckServerJob created for "https://pan.molotnikov.de/ocld" + "status.php" 06-12 12:41:35:614 0x2222c30 status.php returns: QMap(("edition", QVariant(QString, "") ) ( "installed" , QVariant(bool, true) ) ( "maintenance" , QVariant(bool, false) ) ( "version" , QVariant(QString, "8.0.3.4") ) ( "versionstring" , QVariant(QString, "8.0.3") ) ) 0 Reply: QNetworkReplyImpl(0x25f2340) 06-12 12:41:35:614 0x2222c30 * Application: ownCloud found: QUrl( "xxx" ) with version "8.0.3" ( "8.0.3.4" ) 06-12 12:41:37:289 0x2222c30 FolderMan: Syncing is disabled, no scheduling. 06-12 12:41:38:935 0x2222c30 Client is on latest version! 06-12 12:42:05:279 0x2222c30 void OCC::FolderMan::slotEtagPollTimerTimeout() No folders need to check for the remote ETag 06-12 12:42:07:433 0x2222c30 Checking server and authentication 06-12 12:42:07:434 0x2222c30 Trying to look up system proxy 06-12 12:42:07:435 0x27302a0 virtual void OCC::SystemProxyRunnable::run() Starting system proxy lookup 06-12 12:42:07:437 0x2222c30 void OCC::ConnectionValidator::systemProxyLookupDone(const QNetworkProxy&) Setting QNAM proxy to be system proxy "2://:0" 06-12 12:42:07:438 0x2222c30 !!! OCC::CheckServerJob created for "xxx" + "status.php" 06-12 12:42:07:528 0x2222c30 status.php returns: QMap(("edition", QVariant(QString, "") ) ( "installed" , QVariant(bool, true) ) ( "maintenance" , QVariant(bool, false) ) ( "version" , QVariant(QString, "8.0.3.4") ) ( "versionstring" , QVariant(QString, "8.0.3") ) ) 0 Reply: QNetworkReplyImpl(0x28a3bc0) 06-12 12:42:07:528 0x2222c30 * Application: ownCloud found: QUrl( "xxx" ) with version "8.0.3" ( "8.0.3.4" )

here timeout happens, then the password window wrongly pops up!

The server URL is replaced for xxx by me.

ogoffart commented 9 years ago

Thanks for the bug report. This is a duplicate of #1902

qutorial commented 9 years ago

I beg you pardon, but it's unclear to me, what is the outcome of this bug? Is there a solution for this? I would argue also that the severity is low.

ogoffart commented 9 years ago

The bug is that qtkeychain which we use does not really wait for kwallet or even attempt to start it like other kde application do. There is an upstream issue for that https://github.com/frankosterfeld/qtkeychain/issues/25 tha @danimo started to look at, but i do not know the status. I don't know why that bug was prioritised this way.