This Bugzilla instance is a read-only archive of historic NetBeans bug reports. To report a bug in NetBeans please follow the project's instructions for reporting issues.

Bug 171900 - Export Settings should *not* save passwords
Summary: Export Settings should *not* save passwords
Status: RESOLVED FIXED
Alias: None
Product: ide
Classification: Unclassified
Component: Import Settings (show other bugs)
Version: 6.x
Hardware: All All
: P3 blocker (vote)
Assignee: Theofanis Oikonomou
URL:
Keywords: PLAN, UI
Depends on: 173413
Blocks:
  Show dependency tree
 
Reported: 2009-09-10 10:50 UTC by fommil
Modified: 2012-02-13 15:08 UTC (History)
2 users (show)

See Also:
Issue Type: DEFECT
Exception Reporter:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description fommil 2009-09-10 10:50:42 UTC
Export Settings should *not* save passwords: it is non-obvious that this is happening and can lead to serious security breaches as users share preferences 
with each other. e.g. Subversion connection details.

If passwords are to be stored, the export dialog should have a button, separate to the current list, to emphasise the special nature of this content.
Comment 1 Jiri Skrivanek 2009-10-06 09:47:23 UTC
Until API for securely persisting of passwords is implemented (issue 173413) I added a warning about potential security
risks.

core-main #3d5641934782
Comment 2 Quality Engineering 2009-10-07 12:43:28 UTC
Integrated into 'main-golden', will be available in build *200910070250* on http://bits.netbeans.org/dev/nightly/ (upload may still be in progress)
Changeset: http://hg.netbeans.org/main-golden/rev/3d5641934782
User: Jiri Skrivanek <jskrivanek@netbeans.org>
Log: #171900 - Inform users about security risks while exporting settings.
Comment 3 Jesse Glick 2009-12-11 10:15:30 UTC
The Keyring API will continue to store encrypted passwords in the userdir on Windows (which has no standard keyring - only a login encryption feature), or if none of the supported platform-specific impls can be loaded (e.g. you use KDE). So you should exclude "config/Preferences/org/netbeans/modules/keyring.*" to be on the safe side; otherwise someone getting access to these files might be able to run a password cracker to find the master password. Would this just be an exclude param in core.ui's layer?
Comment 4 fommil 2009-12-11 10:41:52 UTC
Who on earth closed this??!

The bug report is "Export Settings should *not* save passwords" - not "Export Settings should warn before saving passwords"
Comment 5 fommil 2009-12-11 10:53:24 UTC
This is FIXED in main-golden, but not 6.8, right?
Comment 6 Jesse Glick 2009-12-11 11:02:36 UTC
6.8 contains the warning. The actual improved handling of passwords will be in 6.9.
Comment 7 Jiri Skrivanek 2009-12-14 02:01:58 UTC
If we exclude keyring.*, users might complain they don't have imported passwords while moving to newer IDE release. But it is probably safer than let users to check/uncheck whether they want to include/exclude passwords in zipped settings.
Comment 8 Jesse Glick 2009-12-14 08:49:20 UTC
It seems reasonable to offer config/Preferences/org/netbeans/modules/keyring.* as a separate item "Passwords", but only if we can be sure it is never checked by default. Better to force users to reenter passwords once per a new release than risk having even encrypted passwords be included in a published ZIP.
Comment 9 Antonin Nebuzelsky 2011-12-06 20:51:24 UTC
Fanis, put this one in your plan for 7.2. Thanks.
Comment 10 Theofanis Oikonomou 2012-02-12 22:05:33 UTC
Fixed

http://hg.netbeans.org/core-main/rev/866b6f9c14da

config/Preferences/org/netbeans/modules/keyring.* is included in keyring module and it is offered as "Passwords" under "Keyring & Passwords" category. The "Passwords" item is only selected if the user specifically clicks it's checkbox. The warning is still presented to the user only when this happens.
Comment 11 Jesse Glick 2012-02-13 15:08:46 UTC
Remember that there will normally be nothing in this category; files under this path are only saved when using the "master password" provider, normally due to some error loading the native keyring provider. In such a case the passwords are encrypted and so vulnerable only insofar as the master password is weak (or there is some undiscovered flaw in the encryption regime), unless of course the suggestion in bug #193978 were implemented.

From an API perspective, the fix is poor since it hardcodes OptionsExportModel.PASSWORDS_PATTERN, and relies on the undocumented and fragile assumption that org.netbeans.modules.options.export.Bundle#OptionsChooserPanel.export.passwords.displayName=Passwords and org.netbeans.modules.keyring.Bundle#Passwords.Options.Export.displayName=Passwords will be translated to the same string! Better would be to introduce a new booleanvalue file attribute for an OptionsExport category or item, say 'enabled' (default true), to be documented in options.api (preferably Javadoc but at least arch.xml) and used by keyring; and/or a stringvalue attribute with the text of a warning to be displayed before enabling the category.

BTW the definition of the export belongs in keyring.impl, not keyring; keyring is pure API/SPI whereas the code that uses this NbPreferences path (FallbackProvider) is in keyring.impl.