Opened 13 years ago

Last modified 13 years ago

#7450 new Bug report

recentservers.xml save the pasword in clear code

Reported by: sven Owned by:
Priority: high Component: FileZilla Client
Keywords: passwords cleartext unencrypted recentservers.xml Cc: ernstke+filezilla@…
Component version: Operating system type: Linux
Operating system version: Linux, Windows, Mac OS X



i found in the directory FileZila on a MS Windows Desktop PC the file recentservers.xml and if i open this file, then i can read my pasword in clear code.

I think, it is verry dangerous to save paswords in xml-files in a clear code.

Perhaps it is possible to save this pasword encoded?


Change History (1)

comment:1 by Kevin, 13 years ago

Cc: ernstke+filezilla@… added
Keywords: passwords cleartext unencrypted recentservers.xml added; paswords save clear code removed
Operating system type: WindowsLinux
Operating system version: vista 64bit and xpLinux, Windows, Mac OS X
Type: PatchBug report

This bug is a duplicate of #4507, which was closed as "rejected."

Implementing your own secure password storage scheme or integrating with the system-wide keychain facilities of modern Linuxes and OS X probably aren't projects you want to undertake. Understood. But may we please have an option to disable storing the passwords in "recentservers.xml"? Or make the quickconnect bar prompt for a password if left empty so FileZilla can be safely automated with KeePass, AutoHotkey, et al., without writing cleartext passwords to the filesystem with every invocation?

I find this "design feature" of FileZilla maddening, because it prevents me from 1) using KeePass to fill in the quickconnect bar, and 2) storing my FileZilla configs on Dropbox so I can access them from multiple computers and/or share with co-workers.

Not even mentioning university lab/friend's computer/cybercafé use, where a "feature" like this could be a real problem for innocents who don't think about stuff like this.

I know it's not the burden of the FileZilla developer(s) to make every user happy, but today this mis-feature caused me to have to reset six account passwords after "recentservers.xml" was "leaked" to a shared Dropbox folder. (Because, even though I can delete-delete the deleted file using the Dropbox web site, it's already been emblazoned on the magnetic platters of four other machines, plus Dropbox's servers, who can't be trusted anymore.)

My interim solution: set the permissions on "recentservers.xml" to 400 (r-- --- ---) and put up with the two error dialogs from FileZilla when it fails to write to that file. I could probably get KeePass to press "Enter" twice for me to make the dialogs go away, but I want to be annoyed frequently enough by it to eventually write a patch.

Note: See TracTickets for help on using tickets.