Bug report #9030
WMS passwords stored in plaintext even if not chosen to
|Category:||Web Services clients/WMS|
|Affected QGIS version:||2.0.1||Regression?:||No|
|Operating System:||Easy fix?:||No|
|Pull Request or Patch supplied:||No||Resolution:|
|Crashes QGIS or corrupts data:||No||Copied to github as #:||17685|
When adding a WMS layer, even if you choose not to save the password, the password will be stored in plain text in the QGS file as part of the datasource tag. This is a grave security bug, because it exposes every WMS server password, without even informing the user about it.
This issue is related to Feature #8180, but it's not a duplicate – in the case of this issue, the user is not even informed, and it's impossible to use WMS layers without saving the password in the file.
The only way to avoid this issue right now is to either not use a password-enabled WMS layer at all, or change the password in the QGS file (which results in an error upon loading the file and the layers are then removed upon loading).
This is present on QGIS 2.0.1.
#2 Updated by Jürgen Fischer almost 7 years ago
- Status changed from Open to Closed
Um, not reproducable in master (but I'm not aware that there was a change in behaviour since 2.0.1)
If you enter the password in the connection dialog, it warns you about how the password will be saved and asks for confirmation, before it actually stores it. If you don't enter a password and the service requires a username and password (via HTTP authentication), there will be a password prompt and the entered password will only be cached temporary, but not permanently saved in the project file or elsewhere. If the service however requires you to enter the password as part of the URL, QGIS can tell that what you enter actually is a password and can't do anything about it - in that case you should talk to your service provider and ask to HTTP authentication.
#3 Updated by Dainius Masiliūnas almost 7 years ago
When did the change in behaviour occur?
And no, this is not a case where the WMS URL itself contains the password. To clarify, this is the part of the QGS file that contains the password:
<projectlayers layercount="2"> <maplayer minimumScale="0" maximumScale="1e+08" type="raster" hasScaleBasedVisibilityFlag="0"> <id>13620140207175045596</id> <datasource>crs=EPSG:4326&dpiMode=all&featureCount=10&format=image/jpeg&layers=136&maxHeight=1024&maxWidth=1024&password=!!PLAINTEXTPASSWORDISHERE!!& styles=default&url=https://www.example.com/service/&username=GreatEmerald</datasource> <title></title> <abstract></abstract> <keywordList> <value></value> </keywordList> <layername>136</layername>
If it doesn't exist any more in the current master, then it's good to know. I'll see if I can update to that and test it.