Tested on LibreOffice: Version: 4.2.8.2 Build ID: 420m0(Build:2) and Version: 5.0.3.2 Build ID: e5f16313668ac592c1bfb310f4390624e3dbfb75 OS: Ubuntu 14.04 Problem description: -Navigate to: Tools > Options > LibreOffice Writer > Mail Merge E-mail > Server authentication -Enter email information including username and password -Confirm with Ok -Go to your user profile (in ubuntu ~/.config/libreoffice/4/user) anyway open the registrymodifications.xcu file with a text editor -Inside the file, search for your email password -There it is, your email password in clear text! Expected behaviour: Would expect my email password to be stored encrypted. I guess is a bug, maybe is the intended behaviour but still is a security issue.
<item oor:path="/org.openoffice.Office.Writer/MailMergeWizard"><prop oor:name="MailPassword" oor:op="fuse"><value>ClearTextPassword</value></prop></item> confirmed on: * Version: 4.4.7.2 * Build ID: f3153a8b245191196a4b6b9abd1d0da16eead600 * Locale: it_IT.UTF-8 * OS: openSUSE Tumbleweed (20151124) (x86_64) and * Version: 5.2.0.0.alpha0+ * Build ID: 0b1da98da44bc9acb9e42a5cd1842adf9d82a415 * CPU Threads: 4; OS Version: Linux 4.3; UI Render: default; * TinderBox: Linux-rpm_deb-x86_64@70-TDF, Branch:master, Time: 2015-12-22_05:54:37 * Locale: it-IT (it_IT.UTF-8) * OS: openSUSE Tumbleweed (20151124) (x86_64) The password is stored in cleartext and the help page: https://help.libreoffice.org/Common/Server_Authentication omits this information. Suggestions: a) Add the information to the help page b) Disallow the password saving c) implement a master password manager (like kwalletmanager, GNOME Keyring Manager/Seahorse for GNU/Linux or Keychain Access for OSX or Credential Manager for Windows).
(In reply to Marina Latini from comment #1) > Suggestions: > a) Add the information to the help page > b) Disallow the password saving > c) implement a master password manager (like kwalletmanager, GNOME Keyring > Manager/Seahorse for GNU/Linux or Keychain Access for OSX or Credential > Manager for Windows). So that should be three issues :) ?
(In reply to Cor Nouws from comment #2) > (In reply to Marina Latini from comment #1) > > > Suggestions: > > a) Add the information to the help page > > b) Disallow the password saving > > c) implement a master password manager (like kwalletmanager, GNOME Keyring > > Manager/Seahorse for GNU/Linux or Keychain Access for OSX or Credential > > Manager for Windows). > > So that should be three issues :) ? Hi Cor. The main problem is that the password is stored in clear text and the user doesn't know this. If this report is considered as a real bug (not a feature ;) ) I could consider to split the report into 3 different issues. Please, let me know the right steps :) Best, Marina
FYI: LibreOffice already has a password manager used e.g. with CMIS/WebDAV.
** Please read this message in its entirety before responding ** To make sure we're focusing on the bugs that affect our users today, LibreOffice QA is asking bug reporters and confirmers to retest open, confirmed bugs which have not been touched for over a year. There have been thousands of bug fixes and commits since anyone checked on this bug report. During that time, it's possible that the bug has been fixed, or the details of the problem have changed. We'd really appreciate your help in getting confirmation that the bug is still present. If you have time, please do the following: Test to see if the bug is still present with the latest version of LibreOffice from https://www.libreoffice.org/download/ If the bug is present, please leave a comment that includes the information from Help - About LibreOffice. If the bug is NOT present, please set the bug's Status field to RESOLVED-WORKSFORME and leave a comment that includes the information from Help - About LibreOffice. Please DO NOT Update the version field Reply via email (please reply directly on the bug tracker) Set the bug's Status field to RESOLVED - FIXED (this status has a particular meaning that is not appropriate in this case) If you want to do more to help you can test to see if your issue is a REGRESSION. To do so: 1. Download and install oldest version of LibreOffice (usually 3.3 unless your bug pertains to a feature added after 3.3) from http://downloadarchive.documentfoundation.org/libreoffice/old/ 2. Test your bug 3. Leave a comment with your results. 4a. If the bug was present with 3.3 - set version to 'inherited from OOo'; 4b. If the bug was not present in 3.3 - add 'regression' to keyword Feel free to come ask questions or to say hello in our QA chat: https://kiwiirc.com/nextclient/irc.freenode.net/#libreoffice-qa Thank you for helping us make LibreOffice even better for everyone! Warm Regards, QA Team MassPing-UntouchedBug
The issue is still present in: Version: 6.2.0.0.alpha0+ Build ID: e79dd394deedaeed122717700077b77d94360c12 CPU threads: 4; OS: Linux 4.16; UI render: default; VCL: kde4; Locale: it-IT (it_IT.UTF-8); Calc: group threaded
@Stephan, I thought you could be interested in this issue...
Dear michele, To make sure we're focusing on the bugs that affect our users today, LibreOffice QA is asking bug reporters and confirmers to retest open, confirmed bugs which have not been touched for over a year. There have been thousands of bug fixes and commits since anyone checked on this bug report. During that time, it's possible that the bug has been fixed, or the details of the problem have changed. We'd really appreciate your help in getting confirmation that the bug is still present. If you have time, please do the following: Test to see if the bug is still present with the latest version of LibreOffice from https://www.libreoffice.org/download/ If the bug is present, please leave a comment that includes the information from Help - About LibreOffice. If the bug is NOT present, please set the bug's Status field to RESOLVED-WORKSFORME and leave a comment that includes the information from Help - About LibreOffice. Please DO NOT Update the version field Reply via email (please reply directly on the bug tracker) Set the bug's Status field to RESOLVED - FIXED (this status has a particular meaning that is not appropriate in this case) If you want to do more to help you can test to see if your issue is a REGRESSION. To do so: 1. Download and install oldest version of LibreOffice (usually 3.3 unless your bug pertains to a feature added after 3.3) from https://downloadarchive.documentfoundation.org/libreoffice/old/ 2. Test your bug 3. Leave a comment with your results. 4a. If the bug was present with 3.3 - set version to 'inherited from OOo'; 4b. If the bug was not present in 3.3 - add 'regression' to keyword Feel free to come ask questions or to say hello in our QA chat: https://web.libera.chat/?settings=#libreoffice-qa Thank you for helping us make LibreOffice even better for everyone! Warm Regards, QA Team MassPing-UntouchedBug