GNOME Bugzilla – Bug 755190
Clearing personal data deletes saved passwords from Geary
Last modified: 2015-09-21 14:52:58 UTC
Versions: Fedora 23 GNOME Web 3.17.91 WebKitGtk 2.9.91 Geary 0.10.0 Steps to reproduce: 1. Add an email account in Geary (choosing to remember the password). 2. Reboot. 3. Open Geary (everything should be OK). 4. Now open GNOME Web, go into "Web" --> "Preferences" --> "Privacy" --> "Clear personal data..." --> Select everything --> "Clear". 5. Reboot. 6. Open Geary (Now Geary "forgot" the saved passwords).
The code deletes all passwords saved with SECRET_SCHEMA_COMPAT_NETWORK. This is arguably wrong since it deletes all network passwords saved by other applications with this schema. Geary *should* be using a different schema, but so should Epiphany. Epiphany definitely should not be deleting any passwords saved with this schema. Since we have no way to know which application saved the password, this is frankly unfixable for passwords previously saved. What we can do going forward is to use a separate schema, "leak" all the old passwords so that the user must delete them manually if desired, and delete only new passwords going forward.
Um, actually, we do have our own password schema. We are just deleting all the wrong passwords. Exception: WebKitGTK+ uses SECRET_SCHEMA_COMPAT_NETWORK for storing HTTP auth credentials. I guess those are the only passwords that the dialog is actually deleting. We probably need new API in WebKitGTK+ to allow specifying which schema to use for these.
Created attachment 311646 [details] [review] Fix clearing all passwords from the clear data dialog Epiphany saves passwords with EPHY_FORM_PASSWORD_SCHEMA. If we want to delete the passwords we've saved, we have to pass that schema to libsecret. Using the SECRET_SCHEMA_COMPAT_NETWORK guarantees we will only delete passwords saved by other apps, and none of our own passwords. Exception: WebKitGTK+ is saving HTTP auth passwords with SECRET_SCHEMA_COMPAT_NETWORK. This change means those passwords will no longer be deleted, which is non-ideal. This needs to be tested still, but it is a bit inconvenient to do so; I need a development build of Ephy with a test account, since I can't delete my real passwords. Diogo, since you were willing to press that button, are you able to test this easily?
By the way, this is what the passwords dialog does when deleting individual passwords, so it's probably right. ;)
(In reply to Michael Catanzaro from comment #3) > Diogo, since you were willing to press that button, are you > able to test this easily? Sure. I would need a Fedora build, though :/
(In reply to Diogo Campos from comment #5) > (In reply to Michael Catanzaro from comment #3) > > Diogo, since you were willing to press that button, are you > > able to test this easily? > > Sure. I would need a Fedora build, though :/ I've temporarily posted F23 and F24 RPMs at https://people.gnome.org/~mcatanzaro/ephy-clear-passwords-test/ You'll need to uninstall the Fedora-provided epiphany and epiphany-runtime packages, then install my epiphany-runtime RPM (and after that, optionally, my epiphany RPM, if you want the desktop file).
GNOME Web no longer deletes passwords from Geary, Michael. There is any extra test/check that I could do?
Thanks! Can you please also make sure it actually deletes its own passwords now, as well?
Oh, right. Silly me. There is a previous problem, however: seems like I am not able to save passwords. "Remember passwords" is checked, and I am doing logins in Bugzilla and GMail with the "Remember me" options checked/unchecked. BUT, no "do you want to save this password" dialog appears, and nothing is shown in the "manage passwords" modal window. As I never saved passwords in GNOME Web before (just through the "remember me" option - for some specific sites), I'm doing something wrong?
To be fair, I downgraded both packages and GNOME Web doesn't save passwords either. I really needed to uninstall the old packages, first? (I will try, now).
No luck from uninstalling old then installing new packages. I still can't save passwords. I will try a "manual reset", then...
(In reply to Diogo Campos from comment #9) > "Remember passwords" is checked, and I am doing logins in Bugzilla and GMail > with the "Remember me" options checked/unchecked. BUT, no "do you want to > save this password" dialog appears, and nothing is shown in the "manage > passwords" modal window. If you open up dconf-editor, and navigate to org.gnome.epiphany, is remember-passwords checked there too? Should be. The password field detection is not especially good, unfortunately. I've never seen it work on Bugzilla, but it does work for me on Google....
Tried a "manual reset" (uninstall, folders deletion, install, gsettings to default and reboots) and still no luck... Then, tried a Fedora 23 Alpha Live USB and it works fine... So, I'm thinking that I'm hitting a keyring related bug, Michael :/ (maybe caused by my "no password" Anaconda install, followed by a password inclusion through GNOME Control Center?) Anyway, I can't test GNOME Web's password saving until I get some clue of what's going on. Sorry :/
Yeah, it's probably a keyring bug. :( Anyway, I bet the patch is fine. Thanks for testing!
Attachment 311646 [details] pushed as fdf19b5 - Fix clearing all passwords from the clear data dialog