Some records transmitted without user permission #127
Comments
|
KeePassHttp creates new entries with domain as title. No matter if KeePassHttp created the entry or not, access to entries is granted automatically if the title contains the domain name of the requested page. This is the only case for which access is granted automatically (despite of the setting you can set for granting access always). |
|
So, if I have an old KeePass DB with many domain-named entries, I need to rename them to something like http://old.domain.name to be sure that acceess will NOT be granted automatically without my permission? And there are no other backdoors? |
|
It should work with renaming it. |
|
The issue still persist. Any item with non-url Title (eg "Sample Entry") returns content without explicit permission. Only option I found is to create Advanced > String fields > Add > KeePassHttp Settings > {"Allow":[],"Deny":["Sample Entry"]} to block access at all. As I know, there is no way to force plugin to ask on every access for these items. Configuration: Manjaro XFCE, KeePass 2.54, KeeAgent 0.12.1.0, KeePassHttp 1.8.4.2, KeePassNatMsg 2.0.17.0 and python_keepass_http as a client |
Win7 x64
FF22 + PassIFox 1.1.5
KeePass 2.22 + KeePassHttp 1.8.1.0
I'm getting popup with permission request when PassIFox requests for username/password. But some records it fetches directly without permission request (a balloon with request info - all that I see), I'm 100% sure I didn't give permission earlier because:
Interesting thing: I've renamed this entry (just added an "https://" prefix to it's title) and after page was reloaded I've got a permission request. I think it is KeePassHttp's responsibility to make a request, so it may be a bug. Or maybe I don't understand something.
The text was updated successfully, but these errors were encountered: