Opened 12 years ago
Last modified 11 years ago
#7450 new Bug report
recentservers.xml save the pasword in clear code
|Reported by:||sven||Owned by:|
|Keywords:||passwords cleartext unencrypted recentservers.xml||Cc:||ernstke+filezilla@…|
|Component version:||Operating system type:||Linux|
|Operating system version:||Linux, Windows, Mac OS X|
i found in the directory FileZila on a MS Windows Desktop PC the file recentservers.xml and if i open this file, then i can read my pasword in clear code.
I think, it is verry dangerous to save paswords in xml-files in a clear code.
Perhaps it is possible to save this pasword encoded?
Change History (1)
comment:1 by , 11 years ago
|Keywords:||passwords cleartext unencrypted recentservers.xml added; paswords save clear code removed|
|Operating system type:||Windows → Linux|
|Operating system version:||vista 64bit and xp → Linux, Windows, Mac OS X|
|Type:||Patch → Bug report|
Note: See TracTickets for help on using tickets.
This bug is a duplicate of #4507, which was closed as "rejected."
Implementing your own secure password storage scheme or integrating with the system-wide keychain facilities of modern Linuxes and OS X probably aren't projects you want to undertake. Understood. But may we please have an option to disable storing the passwords in "recentservers.xml"? Or make the quickconnect bar prompt for a password if left empty so FileZilla can be safely automated with KeePass, AutoHotkey, et al., without writing cleartext passwords to the filesystem with every invocation?
I find this "design feature" of FileZilla maddening, because it prevents me from 1) using KeePass to fill in the quickconnect bar, and 2) storing my FileZilla configs on Dropbox so I can access them from multiple computers and/or share with co-workers.
Not even mentioning university lab/friend's computer/cybercafé use, where a "feature" like this could be a real problem for innocents who don't think about stuff like this.
I know it's not the burden of the FileZilla developer(s) to make every user happy, but today this mis-feature caused me to have to reset six account passwords after "recentservers.xml" was "leaked" to a shared Dropbox folder. (Because, even though I can delete-delete the deleted file using the Dropbox web site, it's already been emblazoned on the magnetic platters of four other machines, plus Dropbox's servers, who can't be trusted anymore.)
My interim solution: set the permissions on "recentservers.xml" to 400 (r-- --- ---) and put up with the two error dialogs from FileZilla when it fails to write to that file. I could probably get KeePass to press "Enter" twice for me to make the dialogs go away, but I want to be annoyed frequently enough by it to eventually write a patch.