[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-core-devel
Subject: Re: KPasswordEdit and security
From: Frans Englich <englich () kde ! org>
Date: 2007-01-01 12:45:19
Message-ID: 200701011345.19106.englich () kde ! org
[Download RAW message or body]
On Tuesday 26 December 2006 22:17, Albert Astals Cid wrote:
> Hi, KPasswordEdit is using a char * internally to store the password. There
> is a note in the header that says "I believe this is safer than a
> QString.". I'm not much into security but i would want some confirmation if
> it is safer to use a char* than a QString.
>
> I'm asking this because i want to fix bug 138997, a bug in KPasswordEdit
> (storing char * and some input method related things) makes it impossible
> to input passwords with non-ascii characters. One could fix that porting
> that internal char* to internal ushort*, but that's not trivial, and if
> there is no strong security reason i think we can just drop KPasswordEdit
> altogether for KDE4 and use QLineEdit.
Apart from the security discussions up til now("one can use QSecureArray or
lock memory pages"), I think they step aside from what this thread brings up:
that KPasswordEdit can't handle Unicode. I find that quite a severe bug.
So, perhaps a good start is to take Unicode support into account before
looking at more sophisticated security measures(which I as well question
whether it's doable globally in KDE and if it doesn't belong on the OS
level).
Cheers,
Frans
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic