Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Set additional Clipboard security flags on windows #7127

Open
thedewi opened this issue Nov 15, 2021 · 4 comments · May be fixed by #11521
Open

Set additional Clipboard security flags on windows #7127

thedewi opened this issue Nov 15, 2021 · 4 comments · May be fixed by #11521

Comments

@thedewi
Copy link

thedewi commented Nov 15, 2021

Overview

Unlike KeePass 2.x, KeePassXC is not setting the "Clipboard Viewer Ignore" format when populating the clipboard, resulting in plaintext passwords being saved by clipboard history tools and similar.

Source code: https://github.com/dlech/KeePass2.x/blob/0defb69f48687de62a4dbfad3213387371a3e8be/KeePass/Util/ClipboardUtil.Windows.cs#L189-L194

Sorry this isn't a PR.

I possibly shouldn't have classed this as "Bug" - but it was surprising behaviour to me, and has left me with passwords in a database they shouldn't be in.

Steps to Reproduce

  1. Highlight an entry and press Ctrl-C.
  2. Open clipboard history tool (eg Ditto).

Expected Behavior

No password entry.

Actual Behavior

History has recorded password entry.

Context

KeePassXC - Version 2.6.6
Revision: 9c108b9

Qt 5.15.2
Debugging mode is disabled.

Operating system: Windows 10 Version 2009
CPU architecture: x86_64
Kernel: winnt 10.0.19043

@thedewi thedewi added the bug label Nov 15, 2021
@thedewi
Copy link
Author

thedewi commented Nov 15, 2021

Workaround: Some clipboard managers, such as Ditto, have an Exclude list to which you can add KeePassXC.exe

@thedewi
Copy link
Author

thedewi commented Nov 15, 2021

There appear to be multiple conventions in use, and my clipboard history tool (ditto) does not know ExcludeClipboardContentFromMonitorProcessing. KeePass appears to support 4 of them -

https://github.com/77/keepass2/blob/49373d56801495919f19b2cd1cfdeb741135c479/KeePass/Util/ClipboardUtil.Windows.cs#L43-L48

@droidmonkey droidmonkey changed the title Security weakness: does not set "Clipboard Viewer Ignore" format Set additional Clipboard security flags on windows Nov 26, 2021
@droidmonkey droidmonkey added this to the v2.8.0 milestone Aug 19, 2023
@droidmonkey droidmonkey self-assigned this Aug 19, 2023
@starsoccer
Copy link

Might be a nice feature if it could be customized if there is no standard. Just as another data point, seems like copyq looks for other information, hluk/CopyQ#2500 but also supports custom format values as well as mentioned here, https://copyq.readthedocs.io/en/latest/faq.html#faq-ignore-password-manager

@droidmonkey droidmonkey modified the milestones: v2.8.0, v2.7.10 Jun 29, 2024
@github-project-automation github-project-automation bot moved this to To triage in WIP Tracker Sep 23, 2024
@droidmonkey droidmonkey moved this from To triage to Backlog in WIP Tracker Sep 23, 2024
@droidmonkey droidmonkey moved this from Backlog to In review in WIP Tracker Dec 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Status: In review
Development

Successfully merging a pull request may close this issue.

4 participants