Secret Service Integration: fix all exposed entries are returned if search with empty terms #4008
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Ping. @droidmonkey I'm not sure if you are going to merge this in 2.5.2? |
|
Yes I will, sorry it wasn't tagged properly |
droidmonkey
approved these changes
Dec 28, 2019
droidmonkey
added a commit
that referenced
this pull request
Jan 4, 2020
Added - Browser: Show UI warning when entering invalid URLs [#3912] - Browser: Option to use an entry only for HTTP auth [#3927] Changed - Disable the user interface when merging or saving the database [#3991] - Ability to hide protected attribute after reveal [#3877] - Remove mention of "snaps" in Windows and macOS [#3879] - CLI: Merge parameter for source database key file (--key-file-from) [#3961] - Improve GUI tests reliability on Hi-DPI displays [#4075] - Disable deprecation warnings to allow building with Qt 5.14+ [#4075] - OPVault: Use 'otp' attribute for TOTP field imports [#4075] Fixed - Fix crashes when saving a database to cloud storage [#3991] - Fix crash when pressing enter twice while opening database [#3885] - Fix handling of HTML when displayed in the entry preview panel [#3910] - Fix start minimized to tray on Linux [#3899] - Fix Auto Open with key file only databases [#4075] - Fix escape key closing the standalone password generator [#3892] - macOS: Fix monospace font usage in password field and notes [#4075] - macOS: Fix building on macOS 10.9 to 10.11 [#3946] - Fix TOTP setup dialog not closing on database lock [#4075] - Browser: Fix condition where additional URLs are ignored [#4033] - Browser: Fix subdomain matching to return only relevant site entries [#3854] - Secret Service: Fix multiple crashes and incompatibilities [#3871, #4009, #4074] - Secret Service: Fix searching of entries [#4008, #4036] - Secret Service: Fix behavior when exposed group is recycled [#3914] - CLI: Release the database instance before exiting interactive mode [#3889] - Fix (most) memory leaks in tests [#3922]
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Type of change
Description and Context
When using
secret-toolor any other client to search the database via secret service API, KeePassXC will return all exposed entries if the searching terms contain onlyPassword.Example:
secret-tool search --all Password abcThe intended behavior is to not allow searching by password at all. Because the terms are passed in clear text which is insecure. In the implementation, any term matching
Passwordis skipped. But if that is the only term, an empty term list is passed toEntrySearcher, which will return all entries.This fix checks if the term list is empty and return not found if it is.
Testing strategy
Tested manually by
Nothing should be returned.
Checklist:
-DWITH_ASAN=ON. [REQUIRED]