Don't show a TOTP secret when selecting a password entry in the main window

Knowing the TOTP secret for a password entry allows somebody to recreate the whole OTP sequence so it definitely shouldn't be displayed in the clear. In fact, it shouldn't be displayed at all in the main window since the proper way to utilize a TOTP entry is to click the "OTP" button to generate a new OTP (rather than to copy the secret to the clipboard like it was a password). The password edit dialog isn't affected by this change and will still show the whole entry, including its TOTP secret if present.
author: Maciej S. Szmigiero <mail@maciej.szmigiero.name> 2019-09-28 00:50:14 +0200
committer: Maciej S. Szmigiero <mail@maciej.szmigiero.name> 2019-09-28 00:53:55 +0200
commit: 0498dd6862447633e9c7731955be5474cc81d911 (patch)
tree: 1fbb1e6a6bcf451e1738708f6efa151c345a4305
parent: 3c97670a8847f56518095dde1f7b0a2b68cc8421 (diff)
3 files changed, 29 insertions, 9 deletions
diff --git a/src/filecontent.cpp b/src/filecontent.cpp
index d77983c2..0dc25756 100644
--- a/src/filecontent.cpp
+++ b/src/filecontent.cpp
@@ -1,11 +1,15 @@
 #include "filecontent.h"
 
+static bool isLineHidden(const QString &line) {
+	return line.startsWith("otpauth://", Qt::CaseInsensitive);
+}
+
 FileContent FileContent::parse(const QString &fileContent,
                                const QStringList &templateFields,
                                bool allFields) {
   QStringList lines = fileContent.split("\n");
   QString password = lines.takeFirst();
-  QStringList remainingData;
+  QStringList remainingData, remainingDataDisplay;
   NamedValues namedValues;
   for (const QString &line : lines) {
     if (line.contains(":")) {
@@ -20,9 +24,13 @@ FileContent FileContent::parse(const QString &fileContent,
         continue;
       }
     }
+
     remainingData.append(line);
+    if (!isLineHidden(line))
+      remainingDataDisplay.append(line);
   }
-  return FileContent(password, namedValues, remainingData.join("\n"));
+  return FileContent(password, namedValues, remainingData.join("\n"),
+                     remainingDataDisplay.join("\n"));
 }
 
 QString FileContent::getPassword() const { return this->password; }
@@ -31,11 +39,16 @@ NamedValues FileContent::getNamedValues() const { return this->namedValues; }
 
 QString FileContent::getRemainingData() const { return this->remainingData; }
 
+QString FileContent::getRemainingDataForDisplay() const {
+  return this->remainingDataDisplay;
+}
+
 FileContent::FileContent(const QString &password,
                          const NamedValues &namedValues,
-                         const QString &remainingData)
+                         const QString &remainingData,
+                         const QString &remainingDataDisplay)
     : password(password), namedValues(namedValues),
-      remainingData(remainingData) {}
+      remainingData(remainingData), remainingDataDisplay(remainingDataDisplay) {}
 
 NamedValues::NamedValues() : QList() {}
 
diff --git a/src/filecontent.h b/src/filecontent.h
index 94e48aa0..845648f7 100644
--- a/src/filecontent.h
+++ b/src/filecontent.h
@@ -28,8 +28,8 @@ public:
    * @brief parse parses the given fileContent in a FileContent object.
    * The password is accessible through getPassword.
    * The named value pairs (name: value) are parsed and depeding on the
-   * templateFields and allFields parameters accessible through getNamedValues
-   * or getRemainingData.
+   * templateFields and allFields parameters accessible through getNamedValues,
+   * getRemainingData or getRemainingDataForDisplay.
    *
    * @param fileContent the file content to parse.
    *
@@ -61,13 +61,19 @@ public:
    */
   QString getRemainingData() const;
 
+  /**
+   * @like getRemainingData but without data that should not be displayed
+   * (like a TOTP secret).
+   */
+  QString getRemainingDataForDisplay() const;
+
 private:
   FileContent(const QString &password, const NamedValues &namedValues,
-              const QString &remainingData);
+              const QString &remainingData, const QString &remainingDataDisplay);
 
   QString password;
   NamedValues namedValues;
-  QString remainingData;
+  QString remainingData, remainingDataDisplay;
 };
 
 #endif // FILECONTENT_H
diff --git a/src/mainwindow.cpp b/src/mainwindow.cpp
index 1360b6be..5a0afb0c 100644
--- a/src/mainwindow.cpp
+++ b/src/mainwindow.cpp
@@ -399,7 +399,8 @@ void MainWindow::passShowHandler(const QString &p_output) {
       ui->verticalLayoutPassword->setSpacing(0);
     else
       ui->verticalLayoutPassword->setSpacing(6);
-    output = fileContent.getRemainingData();
+
+    output = fileContent.getRemainingDataForDisplay();
   }
 
   if (QtPassSettings::isUseAutoclearPanel()) {
author	Maciej S. Szmigiero <mail@maciej.szmigiero.name>	2019-09-28 00:50:14 +0200
committer	Maciej S. Szmigiero <mail@maciej.szmigiero.name>	2019-09-28 00:53:55 +0200
commit	0498dd6862447633e9c7731955be5474cc81d911 (patch)
tree	1fbb1e6a6bcf451e1738708f6efa151c345a4305
parent	3c97670a8847f56518095dde1f7b0a2b68cc8421 (diff)