Skip to content

Security: Don't copy passwords to remote clients

When copying a password to the clipboard, password managers can set the additional mime type "x-kde-passwordManagerHint" to tell klipper not to insert secrets into its history.

This change prevents krdc from copying passwords to remote clients by checking the mime type before sending clipboard contents.

Test: Open a krdc connection to a remote client. On the local machine, run the password manager keepassxc, which is known to set "x-kde-passwordManagerHint".

Select an entry from your password list and copy the password into the clipboard by pressing Ctrl-C. Locally, the password will stay in clipboard for about 10 seconds but will not be inserted into klipper's history. Check the clipboard on the remote machine. Without this patch the password will be there and in klipper's history, with the patch applied not.

Merge request reports

Loading