Describe the bug
I just installed and tried version 5.4.0-beta.4, there is a major fault with the password scheme: you can bypass it easily!
To Reproduce
Steps to reproduce the behavior:
- Go to menu 'Ferdi>Settings' (settings page opens)
- Click on 'X' to close the settings page,
AND you are in the app and can work without having to input a password!
Expected behavior
I expected the password lock to lock down everything except a Quit option! Nothing should allow us in the app without the password!
Desktop (please complete the following information):
- OS: MAC OS Mojave v10.14.6
Browser: Chrome v Version 78.0.3904.70 (Official Build) (64-bit)
Ferdi Version 5.4.0-beta.4 (5.4.0-beta.4.779)
I will surely donate when I have a password working because this project is really interesting and extremely helpful to me. I await the fix.
ammarmalhas
All 8 comments
Menu item "SERVICES" and selecting any service there while in locked screen also opens up the service and unlocks the app without a password.
Menu item "VIEW>Toggle Developer Tools" opens the tools, it should not do so when the app is locked.
Menu item "VIEW>Open Quick Switch", actually opens the dialog box of quick switch but under the lock screen, you will see the opened Quick Switch dialog when you unlock the app.
ALL MENUS should be deactivated while in locked screen.
ammarmalhas
on 29 Oct 2019
You could also open the developer tools and execute a specific command to disable the lock from there.
I think . we should just disable most of the menu items while on the lock screen.
vantezzen
on 29 Oct 2019
@ammarmalhas Thank you for reporting this, this is indeed a flaw in the lock system. Your feedback has been taken into consideration and a fix will be provided in the next version.
kytwb
on 29 Oct 2019
If I can suggest something; someone can check in the settings.json file of Ferdi and find the password. So is there a way to do some hash to the password and when someone check the settings file you only see a hashing number ? like "MyPassword007" to "9_8h3=710d28h2r3@f98h3289t4-t23t320" ?
Makazzz
on 29 Oct 2019
Fixed the original issue, will take a look at hashing the lock password.
kytwb
on 26 Nov 2019
I am sorry Version 5.4.0 (5.4.0.870) does not fix the original issue. Lock can be bypassed by selecting any menu item (well many menu items) and simply hitting the "X" (Close) of the window and we are in the app bypassing the password lock!
ammarmalhas
on 26 Nov 2019
@ammarmalhas I just fixed the issue with https://github.com/getferdi/ferdi/commit/9214b63967ca659fb083d9c994842995aef126f6, it will be available in the next update 馃檹 thank you for your patience.
kytwb
on 26 Nov 2019
Available in v5.4.1-beta.1.
kytwb
on 28 Nov 2019
Related issues
adithshenoy
路
3Comments
probablykasper
路
4Comments
webworker01
路
3Comments
sbienkow
路
3Comments
ylluminarious
路
4Comments
Most helpful comment
If I can suggest something; someone can check in the settings.json file of Ferdi and find the password. So is there a way to do some hash to the password and when someone check the settings file you only see a hashing number ? like "MyPassword007" to "9_8h3=710d28h2r3@f98h3289t4-t23t320" ?