Clipboard clearing timer does not remove password from KDE klipper

[kreutpet]

many thanks to create that tool !
Since i move to pass i am using it on daily base and love it.

concerning the clipboard clearing feature i recognized that the functionality actually does not remove the copied password from the klipper KDE clipboard utility.
The "Clipboard cleared" is shown in the qt status ui.
The copied password remains in the history.
I think is is actually a security risk. as the klipper entry needs to be manually cleared.

Not sure if the klipper provides a dbus interfacce to also remove the Clipboard entry been coming from qtpass.
Can klipper been configured to not receive the clipboard from qtpass?
I am also sure the get complicated as the klipper is only available in KDE.

thx

[kreutpet]

i looked a bit deeper into the klipper configuration i found the option to "Disable Actions for windows of type WM_CLASS"
i followed the instruction given and got the following info from qtpass
WM_CLASS(STRING) = "qtpass", "QtPass"

then i added a new entry in the klipper configuration but unfortunately was not able to get the intended behavior.

anyone got klipper configured to ignore actions from qtpass?

[annejan]

That sounds like something to add to the FAQ and or README

[kreutpet]

well , i played around with klipper and did not find any solution to prevent passwords copied into the klipper to be shown in the klipper history.

If any body has same experience or has solution please share.

For password used in www i recommend using firefox and passff , which give direct access to the pass without a copy past

[kreutpet]

this seems to be related
Bug 334646 / Wish 105033

same argumentation , this is considered a security flaw.

Should we fill another bug ?

[5bentz]

This issue is not specific to KDE: same behaviour with XFCE4 clipman.
For reference: Xfce - blacklist passwords 10112

[equaeghe]

It should be possible, as one developer has done it for his proof-of-concept ‘plasma pass’: https://www.dvratil.cz/2018/05/plasma-pass/

More specifically, at the end of https://cgit.kde.org/scratch/dvratil/plasma-pass.git/tree/plugin/passwordprovider.cpp are the functions that he defines for doing it. He uses klipper-specific code.

[rickysarraf]

I am not sure about qtpass but pass does clear up the Klipper clipboard. In fact, it wipes out the entire Klipper history that was loaded.

[kreutpet]

yes i can confirm that the terminal interface of pass does clean the clipboard in KDE.
not used plasma pass yet. i will give it a try

[equaeghe]

yes i can confirm that the terminal interface of pass does clean the clipboard in KDE.

That is no reason to close this issue. QtPass still doesn't clear the password from the clipboard. (Moreover, clearing the entire Klipper history is not exactly proper behavior.) Please reopen.

[kreutpet]

i looked into plasma-pass -> link

how could this lines of code go into qtpass?
I am not so experienced in c++ but how to handle the kde dependency when building qtpass for none KDE/klipper environment?

[greywood]

if the Copy Password button in QTPass used the 'pass -c' command to copy the password then a custom set 'pass' command could point to a wrapper script like this:

---

#!/bin/bash

# stop the password from being recorded by clipman
xfconf-query -c xfce4-panel -p /plugins/clipman/tweaks/inhibit -s true

/usr/bin/pass "$@"

# TODO - trap this command so clipman is ALWAYS restored back to functionality
xfconf-query -c xfce4-panel -p /plugins/clipman/tweaks/inhibit -s false

---

This script would be for clipman on xfce4

[fabianski7]

any news about this?

[matthiasbeyer]

I'm experiencing the same issue.

[equaeghe]

Relevant upstream bug: https://bugs.kde.org/show_bug.cgi?id=334646

[ahippo]

Relevant upstream bug: https://bugs.kde.org/show_bug.cgi?id=334646

The bug is now closed, and the latest comment there says:

KeepassXC sends copied passwords with custom mime data (application/x-nspasteboard-concealed-type on OS X, x-kde-passwordManagerHint on Linux, and ExcludeClipboardContentFromMonitorProcessing on Windows) to hint for passwords not to be stored in history, [snip]

Klipper supports the x-kde-passwordManagerHint flag AFAIK, so password managers should be setting this flag when copying sensitive data.

So, it sounds like there should be a way for QtPass to also set the proper hints/flags.

Another approach employed by pass itself is to

1. Save existing clipboard contents
2. Copy the password into the clipboard
3. Wait the specified auto-clear timeout
4. Save existing clipboard contents again (in case someone copied something else while we were waiting)
5. Clear all clipboard history with qdbus org.kde.klipper /klipper org.kde.klipper.klipper.clearClipboardHistory
6. Restore the latest saved entry (not the password) back into the clipboard

https://github.com/zx2c4/password-store/blob/1.7.4/src/password-store.sh#L175

It's essentially a workaround, but it works pretty well.