Security: Don't copy passwords to remote clients (!14) · Merge requests · Network / KRDC

Robert Hoffmann requested to merge hoffmannrobert/krdc:work/hoffmannrobert/dont_copy_passwords_to_remote_clients into master Feb 22, 2021

When copying a password to the clipboard, password managers can set the additional mime type "x-kde-passwordManagerHint" to tell klipper not to insert secrets into its history.

This change prevents krdc from copying passwords to remote clients by checking the mime type before sending clipboard contents.

Test: Open a krdc connection to a remote client. On the local machine, run the password manager keepassxc, which is known to set "x-kde-passwordManagerHint".

Select an entry from your password list and copy the password into the clipboard by pressing Ctrl-C. Locally, the password will stay in clipboard for about 10 seconds but will not be inserted into klipper's history. Check the clipboard on the remote machine. Without this patch the password will be there and in klipper's history, with the patch applied not.

Security: Don't copy passwords to remote clients

Merge request reports