Bug report #9030

Updated by Jürgen Fischer over 5 years ago

When adding a WMS layer, even if you choose not to save the password, the password will be stored in plain text in the QGS file as part of the datasource tag. This is a grave security bug, because it exposes every WMS server password, without even informing the user about it.

This issue is related to Feature #8180, but it's not a duplicate – in the case of this issue, the user is not even informed, and it's impossible to use WMS layers without saving the password in the file.

The only way to avoid this issue right now is to either not use a password-enabled WMS layer at all, or change the password in the QGS file (which results in an error upon loading the file and the layers are then removed upon loading).

This is present on QGIS 2.0.1.