Fix clipboard privacy issues: content logging, concealed-type gating, settings crash#5
Fix clipboard privacy issues: content logging, concealed-type gating, settings crash#5MiMoHo wants to merge 1 commit into
Conversation
Three fixes for handling of potentially sensitive clipboard data: - Stop logging clipping contents on paste. pasteFromStack wrote the first 50 characters of every pasted clipping to the unified log via NSLog in release builds, where other processes, Console, and sysdiagnose bundles can read it. Short secrets (passwords, tokens) leaked in full. - Honor the nspasteboard.org skip types independently of the 'Don't copy from password fields' toggle. The ConcealedType/ TransientType/AutoGeneratedType check was nested inside the skipPasswordFields conditional, so unchecking that one box silently disabled all password-manager protection. The revealPasteboardTypes side effect also no longer runs (with a store save) on every poll. - Fix invalid -setValue: calls (missing forKey:) in setSavePreference: that would raise unrecognized-selector and leave the iCloud-sync/ save-preference interlock unapplied. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
@haad — one topic beyond this PR's scope, posted here because the Issues tab is disabled on this repo (forks have it off by default; it can be enabled under Settings → General → Features, happy to move this there): Release signing: Developer ID + notarization (and a path to becoming the Homebrew default)Current state
Why it matters Gatekeeper blocks non-notarized DMGs on other machines ("damaged"/"unverified developer"), so every user must right-click-open or strip the quarantine attribute. For a clipboard manager — an app that sees every password and token a user copies — training users to bypass Gatekeeper is exactly the wrong habit, and it removes the one cryptographic assurance that a downloaded binary matches this source. The Homebrew angle The official Concrete steps
I'm happy to prepare the workflow changes as a PR — steps 2–4 are mechanical; only the certificate/account part (step 1) has to come from you. 🤖 Generated with Claude Code |
Summary
Three fixes for handling of potentially sensitive clipboard data, found during a security review of the codebase:
Stop logging clipping contents to the unified log.
pasteFromStacklogged the first 50 characters of every clipping pasted via the bezel throughNSLog— in release builds. Unified log entries are readable via Console/log showand end up in sysdiagnose bundles, so short secrets (passwords, tokens) leaked in full on every paste.Honor the nspasteboard.org skip types independently of the password-fields toggle. The
org.nspasteboard.ConcealedType/TransientType/AutoGeneratedTypecheck was nested inside theskipPasswordFieldsconditional, so unchecking the innocuously-labeled "Don't copy from password fields" box silently disabled all password-manager protection. The type-based skip now runs on its ownskipPboardTypessetting, as the two separate preferences imply. TherevealPasteboardTypesdebug aid also no longer triggers a store modification/save on every poll evaluation.Fix invalid
-setValue:calls insetSavePreference:. Two calls were missingforKey:— an unrecognized-selector exception if that path executes, leaving the iCloud-sync/save-preference interlock unapplied.Testing
clang -fsyntax-onlyagainst the macOS SDK shows no new diagnostics versus master (the twosetValue:warnings on master disappear with fix 3). No full localxcodebuildavailable on this machine; behavior changes are small and localized.🤖 Generated with Claude Code