Bug report #9030

WMS passwords stored in plaintext even if not chosen to

Added by Dainius Masiliūnas over 6 years ago. Updated over 2 years ago.

Status:Closed
Priority:Normal
Assignee:-
Category:Web Services clients/WMS
Affected QGIS version:2.0.1 Regression?:No
Operating System: Easy fix?:No
Pull Request or Patch supplied:No Resolution:
Crashes QGIS or corrupts data:No Copied to github as #:17685

Description

When adding a WMS layer, even if you choose not to save the password, the password will be stored in plain text in the QGS file as part of the datasource tag. This is a grave security bug, because it exposes every WMS server password, without even informing the user about it.

This issue is related to Feature #8180, but it's not a duplicate – in the case of this issue, the user is not even informed, and it's impossible to use WMS layers without saving the password in the file.

The only way to avoid this issue right now is to either not use a password-enabled WMS layer at all, or change the password in the QGS file (which results in an error upon loading the file and the layers are then removed upon loading).

This is present on QGIS 2.0.1.


Related issues

Related to QGIS Application - Feature request #8180: Encryption of Passwords in qgs files Open 2013-06-27

History

#1 Updated by Giovanni Manghi about 6 years ago

  • Priority changed from High to Normal

There is no crash or data corruption, so I'm lowering the priority.

#2 Updated by Jürgen Fischer about 6 years ago

  • Status changed from Open to Closed

Um, not reproducable in master (but I'm not aware that there was a change in behaviour since 2.0.1)

If you enter the password in the connection dialog, it warns you about how the password will be saved and asks for confirmation, before it actually stores it. If you don't enter a password and the service requires a username and password (via HTTP authentication), there will be a password prompt and the entered password will only be cached temporary, but not permanently saved in the project file or elsewhere. If the service however requires you to enter the password as part of the URL, QGIS can tell that what you enter actually is a password and can't do anything about it - in that case you should talk to your service provider and ask to HTTP authentication.

#3 Updated by Dainius Masiliūnas about 6 years ago

When did the change in behaviour occur?

And no, this is not a case where the WMS URL itself contains the password. To clarify, this is the part of the QGS file that contains the password:

    <projectlayers layercount="2">
        <maplayer minimumScale="0" maximumScale="1e+08" type="raster" hasScaleBasedVisibilityFlag="0">
            <id>13620140207175045596</id>
            <datasource>crs=EPSG:4326&amp;dpiMode=all&amp;featureCount=10&amp;format=image/jpeg&amp;layers=136&amp;maxHeight=1024&amp;maxWidth=1024&amp;password=!!PLAINTEXTPASSWORDISHERE!!&amp;
                styles=default&amp;url=https://www.example.com/service/&amp;username=GreatEmerald</datasource>
            <title></title>
            <abstract></abstract>
            <keywordList>
                <value></value>
            </keywordList>
            <layername>136</layername>

If it doesn't exist any more in the current master, then it's good to know. I'll see if I can update to that and test it.

#4 Updated by Jürgen Fischer over 2 years ago

  • Description updated (diff)
  • Subject changed from WMS paswords stored in plaintext even if not chosen to to WMS passwords stored in plaintext even if not chosen to

Also available in: Atom PDF