Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

KeePassHTTP: Invalid URLs in title/URL leads to false positives #1340

Closed
yan12125 opened this issue Jan 1, 2018 · 5 comments
Closed

KeePassHTTP: Invalid URLs in title/URL leads to false positives #1340

yan12125 opened this issue Jan 1, 2018 · 5 comments
Labels
feature: Browser

Comments

@yan12125
Copy link
Contributor

yan12125 commented Jan 1, 2018

Expected Behavior

The KeePassHTTP plugin returns matched entries only

Current Behavior

When the title or URL field in an entry contains an invalid URL, the entry is returned

Possible Solution

Reject invalid URLs in Service::matchUrlScheme() (untested)

Steps to Reproduce (for bugs)

  1. Create an entry with title https://example.com foobar. Note that there's a space before foobar
  2. Check matched entries from KeePassHTTP in browsers

Context

This is a following up of #1017

Debug Info

KeePassXC - Version 2.2.4
Revision: ad8fca2

Libraries:

  • Qt 5.10.0
  • libgcrypt 1.8.2

Operating system: Arch Linux
CPU architecture: x86_64
Kernel: linux 4.14.9-1-ARCH

Enabled extensions:

  • KeePassHTTP
  • Auto-Type
  • YubiKey
  • SSH Agent
@yan12125 yan12125 mentioned this issue Jan 1, 2018
Closed
@yan12125
Copy link
Contributor Author

yan12125 commented Jan 6, 2018

Here's a good news: the new browser plugin does not have this issue.

@rugk
Copy link

rugk commented Jan 6, 2018

Which version?

@rugk
Copy link

rugk commented Jan 6, 2018

v1.0.9 is still affected here.

@yan12125
Copy link
Contributor Author

yan12125 commented Jan 6, 2018
edited
Loading

@rugk: Sorry if my comment was misleading. I was referring to @varjolintu's keepassxc-browser work. That plugin requires the latest git version of KeePassXC. AFAIK It's going to be included in KeePassXC 2.4.0, which is still on its way.

UPDATE: Removal of KeePassHTTP is postponed to 2.4 (#1752)

@rugk
Copy link

rugk commented Feb 4, 2018

BTW it always seems to request that one entry (bad password) for all password fields, where it does not recognize/find a different passwords. Almost seems like this is a simple array iteration issue or so where it chooses [0] if it cannot find an entry…

@varjolintu varjolintu mentioned this issue May 28, 2018
Merged
@yan12125 yan12125 changed the title KeePassHTTP: Invalid URLs in title/URL leads to false positives KeePassHTTP: Invalid URLs in URL leads to false positives Oct 15, 2018
@yan12125 yan12125 changed the title KeePassHTTP: Invalid URLs in URL leads to false positives KeePassHTTP: Invalid URLs in title/URL leads to false positives Oct 15, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature: Browser
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@phoerious @yan12125 @droidmonkey @rugk