QLineEdit密码安全 [英] QLineEdit password safety

问题描述

在我的应用程序中，用户在QLineEdit中键入其密码. QLineEdit在密码回显模式下工作.

In my application user types his password in QLineEdit. QLineEdit works in Password echo mode.

当不再需要密码时，应用程序必须从内存中清除密码.

Application must clear password from memory when it is no longer needed.

QLineEdit是否确保在释放所有内部内存缓冲区之前将其清除?我在文档中找不到此类信息.

Does QLineEdit make sure that it clears all its internal memory buffers before they are freed? I cannot found such information in documentation.

如果QLineEdit不清除其内容，那么实现这种行为的最简单方法是什么?我想尽可能地重用QLineEdit功能，并且不想从头开始实现我自己的密码编辑控件.有可能吗?

If QLineEdit does not clear its content then what is the simplest way to implement such behavior? I want to reuse QLineEdit functionality as much as possible and do not want to implement my own password edit control from scratch. Is it possible?

推荐答案

请注意，即使调用setText({})也不是完全安全的-如果将应用程序换出，该字符串可能会写入交换空间.防止这种情况的唯一方法是自己为lineEdit的内部字符串分配内存，并在其上调用mlock()以防止交换.为此，您需要编写自己的lineEdit.

Note that even when calling setText({}) is not completely safe - the string might get written to swap space if your application is swapped out. The only way to prevent that is to allocate the memory for the internal string of the lineEdit yourself and call mlock() on it to prevent swapping. For that you need to write your own lineEdit.

此外，在附加诸如

In addition, the text is quite trivial to figure out when attaching a run-time introspection tool like Gammaray to your application, as it is a normal QObject property, and stored obfuscated in RAM.

此外，通过查看QWidgetLineControl::internalSetText的实现(请参见代码)，似乎该行编辑文本可用于可访问性界面，除非可访问性支持未编译到Qt中，否则所有人都可以使用它.

Also, by looking at the implementation of QWidgetLineControl::internalSetText (see the code), it seems like the line edit text is made available for the accessibility interface, which is accessible to everyone unless accessibility support was not compiled into Qt.

因此，根据您的安全级别，您确实需要自己的实现.

So, depending on your security level, you do need your own implementation.

这篇关于QLineEdit密码安全的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！