Skip to content

fix: disable copy/cut and block undo/redo in DPasswordEdit#753

Open
18202781743 wants to merge 1 commit into
masterfrom
personal/yeshanshan/fix-dpasswordedit-security
Open

fix: disable copy/cut and block undo/redo in DPasswordEdit#753
18202781743 wants to merge 1 commit into
masterfrom
personal/yeshanshan/fix-dpasswordedit-security

Conversation

@18202781743

@18202781743 18202781743 commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

DPasswordEdit构造时默认禁用复制、剪切功能,并拦截撤消、重做快捷键,防止密码信息泄露。

Log: DPasswordEdit禁用复制粘贴及撤销重做快捷操作
PMS: TASK-392179

@18202781743 18202781743 requested review from BLumia and mhduiy July 8, 2026 05:27

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry @18202781743, you have reached your weekly rate limit of 500000 diff characters.

Please try again later or upgrade to continue using Sourcery

@18202781743 18202781743 force-pushed the personal/yeshanshan/fix-dpasswordedit-security branch from c87f354 to 174b178 Compare July 8, 2026 06:53
BLumia
BLumia previously approved these changes Jul 8, 2026
@18202781743 18202781743 force-pushed the personal/yeshanshan/fix-dpasswordedit-security branch 2 times, most recently from bf32ffa to d265184 Compare July 8, 2026 09:20
@18202781743 18202781743 requested a review from BLumia July 8, 2026 09:21
@18202781743 18202781743 force-pushed the personal/yeshanshan/fix-dpasswordedit-security branch 2 times, most recently from cfe4608 to 2fe777e Compare July 8, 2026 09:44
@deepin-ci-robot

Copy link
Copy Markdown
Contributor

deepin pr auto review

★ 总体评分:70分

■ 【总体评价】

代码实现了密码编辑框的安全增强,但存在严重的内存泄漏问题
逻辑正确但因内存泄漏和字符串匹配脆弱扣30分

■ 【详细分析】

  • 1.语法逻辑(存在严重错误)✕

在 DPasswordEdit::eventFilter 函数中,处理 QEvent::ContextMenu 事件时,调用了 lineEdit()->createStandardContextMenu() 创建了 QMenu 对象,但未调用 delete 或设置 Qt::WA_DeleteOnClose 属性,导致每次右键点击都会泄漏一个菜单对象及其子动作。
潜在问题:内存泄漏会导致应用内存占用持续增长,最终可能引发崩溃。
建议:在 menu->popup() 之前添加 menu->setAttribute(Qt::WA_DeleteOnClose); 或使用智能指针管理生命周期。

  • 2.代码质量(较差)✕

在 DPasswordEdit::eventFilter 函数中,使用 text.startsWith(QLineEdit::tr("&Undo")) 等方式通过本地化字符串匹配来禁用菜单项。这种方式非常脆弱,一旦翻译发生变化或在不同语言环境下,匹配将失效。
潜在问题:国际化适配问题导致功能失效;代码可维护性差。
建议:尽量通过动作的快捷键或对象名称进行识别,而非依赖界面显示文本。

  • 3.代码性能(存在性能问题)✕

每次触发右键菜单事件都会动态创建 QMenu 及其子组件,且未释放,不仅造成内存泄漏,也增加了不必要的对象创建开销。
潜在问题:频繁右键操作时性能下降。
建议:修复内存泄漏的同时,确保资源及时释放。

  • 4.代码安全(存在0个安全漏洞)✓

漏洞对比统计:新增漏洞 0 个,减少漏洞 0 个,持平 0 个
本次修改通过禁用复制、剪切、撤销和重做功能,增强了密码输入框的安全性,防止密码被意外泄露或通过历史记录恢复。未引入新的安全漏洞。
建议:保持当前安全防护逻辑,确保在修复其他问题的同时不破坏安全特性。

■ 【改进建议代码示例】

diff --git a/src/widgets/dpasswordedit.cpp b/src/widgets/dpasswordedit.cpp
--- a/src/widgets/dpasswordedit.cpp
+++ b/src/widgets/dpasswordedit.cpp
@@ -140,49 +140,51 @@ bool DPasswordEdit::eventFilter(QObject* watcher, QEvent* event)
         }
     }
 #endif
 
     if (watcher == lineEdit() && event->type() == QEvent::KeyPress) {
         QKeyEvent *keyEvent = static_cast<QKeyEvent *>(event);
         if (keyEvent->matches(QKeySequence::Undo)
             || keyEvent->matches(QKeySequence::Redo)) {
             return true;
         }
     }
 
     if (watcher == lineEdit() && event->type() == QEvent::ContextMenu) {
         QMenu *menu = lineEdit()->createStandardContextMenu();
         if (!menu)
             return DLineEdit::eventFilter(watcher, event);
 
+        menu->setAttribute(Qt::WA_DeleteOnClose);
+
         for (QAction *action : menu->actions()) {
             const auto &text = action->text();
             if (text.startsWith(QLineEdit::tr("&Undo"))
                 || text.startsWith(QLineEdit::tr("&Redo"))) {
                 action->setEnabled(false);
             }
             if (text.startsWith(QLineEdit::tr("Cu&t")) && !cutEnabled()) {
                 action->setEnabled(false);
             }
             if (text.startsWith(QLineEdit::tr("&Copy")) && !copyEnabled()) {
                 action->setEnabled(false);
             }
             if (text.startsWith(QLineEdit::tr("&Paste")) && !pasteEnabled()) {
                 action->setEnabled(false);
             }
         }
 
         menu->popup(static_cast<QContextMenuEvent *>(event)->globalPos());
         event->accept();
         lineEdit()->setFocus();
         return true;
     }
 
     return DLineEdit::eventFilter(watcher, event);
 }

@18202781743

Copy link
Copy Markdown
Contributor Author

需要兼容qt5和qt6,qt5上没设置objectName,无法区分,只能通过text来区分,

@18202781743 18202781743 changed the title fix: disable copy/cut/paste and block undo/redo in DPasswordEdit fix: disable copy/cut and block undo/redo in DPasswordEdit Jul 8, 2026
@deepin-ci-robot

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: 18202781743, BLumia, robertkill

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Default-disable copy/cut for security, intercept undo/redo
shortcuts and context menu actions to prevent password leakage.

DPasswordEdit构造时默认禁用复制、剪切功能,拦截撤消、重做快捷键及右键菜单项,防止密码信息泄露。

Log: DPasswordEdit禁用复制粘贴及撤销重做,防止密码泄露
PMS: TASK-392179
Influence: DPasswordEdit密文明文均禁止复制粘贴和撤销重做,提升密码输入安全性。
@18202781743 18202781743 force-pushed the personal/yeshanshan/fix-dpasswordedit-security branch from 2fe777e to 202b913 Compare July 8, 2026 10:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants