GNOME Bugzilla – Bug 668544
Clipboard of host sent to remote machine, must be more explicit
Last modified: 2021-05-30 02:17:16 UTC
Vingare 2.30.2 from GNOME 2 from Ubuntu 10.04 (which I am unfortunately still stuck at, because GNOME 3 is unusable) Reproduction: 1. On your Linux desktop, open a text editor 2. Type "My password", select the text, and hit Ctrl-C 3. Open a Vinagre VNC connection to a remote host, e.g. running Windows 4. On the remote Windows host, open notepad.exe 5. In notepad's menu bar, using the mousem click on Edit|Paste Actual result: notepad.exe shows "My password" Expected result: Nothing. Importance: This is a critical security hole. Because I use a different password for every service, I have to copy&paste them. However, the remote machine is not trusted. In some cases, it's owned by a different company, in other cases I use VNC and a different machine specifically because I don't trust the software and need to test. If the untrusted host can get to my passwords from my trusted desktop, that's a critical security hole, because my passwords leak, and they may well give full access to other machines, my bank account or other highly sensitive data.
Possible solutions: 1) a pref, with default off and a clear warning about this problem, because many users will not be aware of it. A pref with default on or without a clear warning is *not* sufficient. 2) Better yet: A button on the toolbar "Copy clipboard" Text is copied from host desktop clipboard to remote machine clipboard only when that button is pressed. 3) A combination of 1) and 2)
Vinagre 2.30 is not actively maintained, so I suggest that you upgrade. Your assertion that GNOME 3 is unusable is demonstrably false, as I have witnessed people using it. If you find GNOME 3 to be unusable, then that is your own opinion, and not relevant to this bug report. The clipboard behaviour of Vinagre is no different than that of other applications, although this could be improved by adding an option to disable clipboard passthrough or adding copy and paste actions to the UI. I do not agree that Vinagre having access to the clipboard is a critical security hole, but I encourage you to submit a patch which fixes the problem as you see it to your satisfaction. As the Vinagre maintainer, I do not think that changing the current clipboard behaviour is justified given your reasoning, and I will not accept a patch which does so.
(In reply to comment #2) > As the Vinagre maintainer, I do not think that changing the > current clipboard behaviour is justified given your reasoning… I meant to say the ‘default’ clipboard behaviour, not the ‘current’ clipboard behaviour.
> The clipboard behaviour of Vinagre is no different than that of other > applications I have seen other VNC applications that ask during connection setup. That's why I made suggestion 1), although I don't think that's a good solution. > I do not agree that ... access to the clipboard is a critical security hole This is a common reaction to security holes by design. If you considered this a problem, you (or the original author) wouldn't have done it in the first place. I think I did illustrate the problem, though. It is a *fact* that the untrusted host, which I put in a jail and accessed via VNC, exactly because I did not trust it and did not want it to have any sensitive information, got my sensible passwords. That *is* a security hole, and critical, because it can easily lead to complete compromise of hosts. These are undeniable facts. Using VNC to jail and use an untrusted host is common usage pattern that I have also personally seen at government agencies handling highly sensible documents (on the trusted host desktop system). Just imagine... > this could be improved by ... adding copy and paste actions to the UI Thank you. > I encourage you to submit a patch which fixes the problem as you see > it to your satisfaction Good.
Possible solution, concretely: 1. "Paste" button on VNC viewer toolbar. If the user presses the button, the viewer sends the clipboard to the remote machine at that moment, and then triggers a Ctrl-V keypress in the remove machine. 2. If the user doesn't press the button, but focuses the VNC viewer and presses Ctrl-V, the viewer sends the clipboard to the remote machine and only then sends the Ctrl-V to the remote machine. In both cases, mouse or keyboard, you wouldn't need any more actions in practice. You still do Ctrl-C in your Linux app, switch to the viewer, press Ctrl-V there, and you got the text in notepad.exe. Of course that would be configurable so that you can change they key combo, e.g. for Macs, or to disable sending the key combo after the Paste button, or to disable the clipboard entirely.
GNOME is going to shut down bugzilla.gnome.org in favor of gitlab.gnome.org. As part of that, we are mass-closing older open tickets in bugzilla.gnome.org which have not seen updates for a longer time (resources are unfortunately quite limited so not every ticket can get handled). If you can still reproduce the situation described in this ticket in a recent and supported software version of Vinagre, then please follow https://wiki.gnome.org/GettingInTouch/BugReportingGuidelines and create a new enhancement request ticket at https://gitlab.gnome.org/GNOME/vinagre/-/issues/ Thank you for your understanding and your help.
Please do not reopen this ticket. See my previous comment. Thanks.