diff options
| author | Ivan Čukić <ivan.cukic@kde.org> | 2018-12-07 23:24:58 +0100 |
|---|---|---|
| committer | Ivan Čukić <ivan.cukic@kde.org> | 2019-01-29 09:51:36 +0000 |
| commit | 679a9972b46b0ebd03444f3c08ce7d3424c494f9 (patch) | |
| tree | b0180436c4ef48a490da27b6d2723ea3348d8674 | |
| parent | 454676a8745a7334539449562a5fda47db2fc2ca (diff) | |
TextInput: Stop leaking password values to process memory
The contents of a deleted QString can still remain in memory
and can be accessible by tools that read the raw process memory.
The same problem appears when the QString reallocates -- the
old buffer gets deleted, but its contents will remain in memory.
This means that a TextInput that serves as a password input field
can leak parts of the password while the user is entering it
(due to reallocation) and the whole password when the TextInput
instance is destroyed.
With this patch, the contents of the m_text string member variable
will be zeroed-out before the TextInput is destructed. This is done
only in the cases when the TextInput serves as a password field.
Also, this patch reserves the space for 30 characters for m_text
when the TextInput is used for password input. This is enough to
make sure no reallocation happens in majority of cases as barely
anyone uses passwords longer than 30 characters.
[ChangeLog][QtQuick][TextInput/security] When the TextInput is
used for password input, preallocate a buffer for the string that stores
the entered value and zero-out the string on TextInput destruction to
avoid leaking sensitive data to process memory
Change-Id: I8f1f307b1cfc25ad51f48bae8509a258042a2e7f
Reviewed-by: Frederik Gladhorn <frederik.gladhorn@qt.io>
| -rw-r--r-- | src/quick/items/qquicktextinput.cpp | 6 | ||||
| -rw-r--r-- | src/quick/items/qquicktextinput_p_p.h | 5 |
2 files changed, 11 insertions, 0 deletions
diff --git a/src/quick/items/qquicktextinput.cpp b/src/quick/items/qquicktextinput.cpp index a0ac884fef..aac7137ff3 100644 --- a/src/quick/items/qquicktextinput.cpp +++ b/src/quick/items/qquicktextinput.cpp @@ -1242,6 +1242,12 @@ void QQuickTextInput::setEchoMode(QQuickTextInput::EchoMode echo) d->updateDisplayText(); updateCursorRectangle(); + // If this control is used for password input, we want to minimize + // the possibility of string reallocation not to leak (parts of) + // the password. + if (d->m_echoMode != QQuickTextInput::Normal) + d->m_text.reserve(30); + emit echoModeChanged(echoMode()); } diff --git a/src/quick/items/qquicktextinput_p_p.h b/src/quick/items/qquicktextinput_p_p.h index a2e2f0f66d..7965f3d3f4 100644 --- a/src/quick/items/qquicktextinput_p_p.h +++ b/src/quick/items/qquicktextinput_p_p.h @@ -162,6 +162,11 @@ public: ~QQuickTextInputPrivate() { + // If this control is used for password input, we don't want the + // password data to stay in the process memory, therefore we need + // to zero it out + if (m_echoMode != QQuickTextInput::Normal) + m_text.fill(0); } void init(); |