search

qgis / QGIS

QGIS is a free, open source, cross platform (lin/win/mac) geographical information system (GIS)
https://qgis.org
GNU General Public License v2.0
10.43k stars 2.98k forks source link

Database credentials easily exposed on screen when connection drops #51368

Open weca-theo opened 1 year ago

weca-theo commented 1 year ago

What is the bug or the crash?

QGIS 3.22.8

If loading up a QGIS project file whilst your connection to a database is broken, or if you lose database connection whilst browsing QGIS, QGIS will show an 'Enter Credentials' prompt which exposes all Database credentials. Tested only with PostgreSQL.

image

Sure, the credentials are stored in my project using the 'Basic' method, and can be discoverable in plain text within the .qgs file or within the 'Edit PostGIS Connection' settings, but a light/novice user won't dig that deep. Ultimately, the credentials shouldn't be so easily exposed simply due to a loss of network connection to the DB. At the very least could the prompt hide the password string?

In my example, these particular credentials are for a read-only role, so risk is low. But it still seems like this exposure issue should be fixed.

Steps to reproduce the issue

Open a project containing a PostgreSQL/PostGIS layer, then disconnect from your network. Now observe credentials being exposed.

Versions

QGIS version 3.22.8-Białowieża QGIS code revision 8d5e9761df Qt version 5.15.3 Python version 3.9.5 GDAL/OGR version 3.5.0 PROJ version 9.0.1 EPSG Registry database version v10.064 (2022-05-19) GEOS version 3.10.3-CAPI-1.16.1 SQLite version 3.38.1 PDAL version 2.3.0 PostgreSQL client version 14.3 SpatiaLite version 5.0.1 QWT version 6.1.6 QScintilla2 version 2.13.1 OS version Windows 10 Version 2009

Active Python plugins QGIS3-getWKT 1.4 QuickWKT 3.1 db_manager 0.1.20 processing 2.12.99

Supported QGIS version

New profile

Additional context

No response

weca-theo commented 1 year ago

Database credentials also exposed in plain sight in the QGIS message splash: image

Can we at least remove the password string from these kind of messages?

weca-theo commented 1 year ago

Appreciate this is technically a feature request rather than a bug, but as it poses a security risk could the suggested changes above be implemented as priority? I see no need for passwords to be exposed in this way at all.