Export: unexpected behavior

[kklibo]

Hi, thanks for writing this tool. Now that Github is going to require 2FA, I'll probably be using OTPClient regularly, so I'm giving it a general test. I found a minor issue that may not actually affect anyone's use of the tool, but I thought I'd report it because I was surprised by the program's behavior.

I made a new token and exported it as an andOTP (encrypted) file, and I just left the password blank. This created an unencrypted file identical to the output of andOTP (plain).

I wanted encryption, so I just reattempted the export to the same file, this time with an encryption password. In the UI, it seemed to be successful. However, I checked the file in a hex editor: the output was encrypted, but it was concatenated onto the previous output file, instead of replacing it: this means that my export file still contained the full plaintext export data that I meant to replace.

To improve predictability, I would suggest:

• andOTP (encrypted) export should reject a blank password
• Export should overwrite the target file instead of appending
  • unless appending is the intent, which could be explained in the UI

[paolostivanin]

Hello, thanks a lot for reporting this issue, very appreciated! I'm gonna fix this bug (hopefully) this week :smile:

[paolostivanin]

@kklibo what version are you running and on what OS? I am not able to reproduce this issue :thinking:

[kklibo]

OS is Ubuntu 22.04.3 LTS (kubuntu); I installed OTPClient from the repo (apt install otpclient).

The OTPClient window titlebar says "2.4.4", but apt policy otpclient says Installed: 2.4.6-1.

[paolostivanin]

Oh, I see! You are using an ancient version :smile: please update it to the latest using my PPA (https://github.com/paolostivanin/OTPClient/wiki/Tested-OS-&-Packages => https://launchpad.net/~polslinux/+archive/ubuntu/otpclient).

[kklibo]

Ok, I have jumped forward into the future: with the PPA install, I have 3.1.9 in the About window and Installed: 3.1.9-0ubuntu1~jammy1 from apt policy.

Testing my previous process:

• andOTP (encrypted) export now rejects a blank password (OK)
• andOTP (encrypted) export to a filename that already exists still concatenates its output, instead of overwriting the file

[kklibo]

Adding to my previous comment, it looks like the export command will not ask to confirm the file path: there should probably be some confirmation from the user before overwriting the previous file, just to keep program behavior predictable.

[paolostivanin]

Makes sense, I'll fix that too :) thanks for testing