🔒 Fix search information leak#603
Merged
phoerious merged 1 commit intokeepassxreboot:developfrom May 28, 2017
Merged
Conversation
Contributor
|
The thing is that in some use-case, the user want to maintain the search term when the db is locked to reload the search when it's unlocked. Maybe we should handle also this situation. |
Member
|
I think it's fine to just delete the field contents. Whatever that other use case would be, security comes first. |
droidmonkey
approved these changes
May 28, 2017
louib
approved these changes
May 28, 2017
Contributor
|
@hifi can you rebase this on top of latest develop? |
Contributor
Author
|
Done. |
phoerious
approved these changes
May 28, 2017
droidmonkey
added a commit
that referenced
this pull request
Jun 25, 2017
- Added YubiKey 2FA integration for unlocking databases [#127] - Added TOTP support [#519] - Added CSV import tool [#146, #490] - Added KeePassXC CLI tool [#254] - Added diceware password generator [#373] - Added support for entry references [#370, #378] - Added support for Twofish encryption [#167] - Enabled DEP and ASLR for in-memory protection [#371] - Enabled single instance mode [#510] - Enabled portable mode [#645] - Enabled database lock on screensaver and session lock [#545] - Redesigned welcome screen with common features and recent databases [#292] - Multiple updates to search behavior [#168, #213, #374, #471, #603, #654] - Added auto-type fields {CLEARFIELD}, {SPACE}, {{}, {}} [#267, #427, #480] - Fixed auto-type errors on Linux [#550] - Prompt user prior to executing a cmd:// URL [#235] - Entry attributes can be protected (hidden) [#220] - Added extended ascii to password generator [#538] - Added new database icon to toolbar [#289] - Added context menu entry to empty recycle bin in databases [#520] - Added "apply" button to entry and group edit windows [#624] - Added macOS tray icon and enabled minimize on close [#583] - Fixed issues with unclean shutdowns [#170, #580] - Changed keyboard shortcut to create new database to CTRL+SHIFT+N [#515] - Compare window title to entry URLs [#556] - Implemented inline error messages [#162] - Ignore group expansion and other minor changes when making database "dirty" [#464] - Updated license and copyright information on souce files [#632] - Added contributors list to about dialog [#629]
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
When databases are locked, end search mode if it was activated and clear the visible input field for search term.
The
DatabaseWidget::endSearch()call onDatabaseWidget::lock()clears the search term from memory regardless if search mode was active or not.Adding a default argument for
SearchWidget::databaseChanged()allows using the existing method for lock signaling.Motivation and context
A user on IRC pointed out that the search field is not cleared when locking databases and it could be perceived as unintentional information leak.
@TheZ3ro said the maintainers are considering this but no issue was ever opened.
How has this been tested?
Locking/unlocking databases multiple databases, switching databases.
Types of changes
Checklist: