QtPass icon indicating copy to clipboard operation
QtPass copied to clipboard

Published 20 hours ago verified publisher icon IJHack

Clipboard clearing timer does not remove password from KDE klipper

Open kreutpet opened this issue 7 years ago • 15 comments

many thanks to create that tool ! Since i move to pass i am using it on daily base and love it.

concerning the clipboard clearing feature i recognized that the functionality actually does not remove the copied password from the klipper KDE clipboard utility. The "Clipboard cleared" is shown in the qt status ui. The copied password remains in the history. I think is is actually a security risk. as the klipper entry needs to be manually cleared.

Not sure if the klipper provides a dbus interfacce to also remove the Clipboard entry been coming from qtpass. Can klipper been configured to not receive the clipboard from qtpass? I am also sure the get complicated as the klipper is only available in KDE.

thx

kreutpet avatar Jan 17 '18 18:01 kreutpet

i looked a bit deeper into the klipper configuration i found the option to "Disable Actions for windows of type WM_CLASS" i followed the instruction given and got the following info from qtpass WM_CLASS(STRING) = "qtpass", "QtPass"

then i added a new entry in the klipper configuration but unfortunately was not able to get the intended behavior.

anyone got klipper configured to ignore actions from qtpass?

kreutpet avatar Jan 19 '18 21:01 kreutpet

That sounds like something to add to the FAQ and or README

annejan avatar Jan 19 '18 21:01 annejan

well , i played around with klipper and did not find any solution to prevent passwords copied into the klipper to be shown in the klipper history.

If any body has same experience or has solution please share.

For password used in www i recommend using firefox and passff , which give direct access to the pass without a copy past

kreutpet avatar Jan 28 '18 10:01 kreutpet

this seems to be related Bug 334646 / Wish 105033

same argumentation , this is considered a security flaw.

Should we fill another bug ?

kreutpet avatar Jan 28 '18 16:01 kreutpet

This issue is not specific to KDE: same behaviour with XFCE4 clipman. For reference: Xfce - blacklist passwords 10112

5bentz avatar Feb 07 '18 12:02 5bentz

It should be possible, as one developer has done it for his proof-of-concept ‘plasma pass’: https://www.dvratil.cz/2018/05/plasma-pass/

More specifically, at the end of https://cgit.kde.org/scratch/dvratil/plasma-pass.git/tree/plugin/passwordprovider.cpp are the functions that he defines for doing it. He uses klipper-specific code.

equaeghe avatar Sep 12 '18 12:09 equaeghe

I am not sure about qtpass but pass does clear up the Klipper clipboard. In fact, it wipes out the entire Klipper history that was loaded.

rickysarraf avatar Nov 30 '18 13:11 rickysarraf

yes i can confirm that the terminal interface of pass does clean the clipboard in KDE. not used plasma pass yet. i will give it a try

kreutpet avatar Dec 01 '18 16:12 kreutpet

yes i can confirm that the terminal interface of pass does clean the clipboard in KDE.

That is no reason to close this issue. QtPass still doesn't clear the password from the clipboard. (Moreover, clearing the entire Klipper history is not exactly proper behavior.) Please reopen.

equaeghe avatar Dec 01 '18 20:12 equaeghe

i looked into plasma-pass -> link

how could this lines of code go into qtpass? I am not so experienced in c++ but how to handle the kde dependency when building qtpass for none KDE/klipper environment?

kreutpet avatar Dec 23 '18 09:12 kreutpet

if the Copy Password button in QTPass used the 'pass -c' command to copy the password then a custom set 'pass' command could point to a wrapper script like this:

#!/bin/bash

# stop the password from being recorded by clipman
xfconf-query -c xfce4-panel -p /plugins/clipman/tweaks/inhibit -s true

/usr/bin/pass "$@"

# TODO - trap this command so clipman is ALWAYS restored back to functionality
xfconf-query -c xfce4-panel -p /plugins/clipman/tweaks/inhibit -s false

This script would be for clipman on xfce4

greywood avatar Feb 17 '19 21:02 greywood

any news about this?

fabianski7 avatar Jul 06 '20 21:07 fabianski7

I'm experiencing the same issue.

matthiasbeyer avatar Oct 18 '20 10:10 matthiasbeyer

Relevant upstream bug: https://bugs.kde.org/show_bug.cgi?id=334646

equaeghe avatar Jan 03 '23 15:01 equaeghe

Relevant upstream bug: https://bugs.kde.org/show_bug.cgi?id=334646

The bug is now closed, and the latest comment there says:

KeepassXC sends copied passwords with custom mime data (application/x-nspasteboard-concealed-type on OS X, x-kde-passwordManagerHint on Linux, and ExcludeClipboardContentFromMonitorProcessing on Windows) to hint for passwords not to be stored in history, [snip]

Klipper supports the x-kde-passwordManagerHint flag AFAIK, so password managers should be setting this flag when copying sensitive data.

So, it sounds like there should be a way for QtPass to also set the proper hints/flags.

Another approach employed by pass itself is to

  1. Save existing clipboard contents
  2. Copy the password into the clipboard
  3. Wait the specified auto-clear timeout
  4. Save existing clipboard contents again (in case someone copied something else while we were waiting)
  5. Clear all clipboard history with qdbus org.kde.klipper /klipper org.kde.klipper.klipper.clearClipboardHistory
  6. Restore the latest saved entry (not the password) back into the clipboard

https://github.com/zx2c4/password-store/blob/1.7.4/src/password-store.sh#L175

It's essentially a workaround, but it works pretty well.

ahippo avatar Mar 06 '23 03:03 ahippo