-
Notifications
You must be signed in to change notification settings - Fork 484
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Backups should not store sensitive data #744
Comments
Hello Luna712. Found provider name: |
|
Yeah It would not make much sense now that I think of it, not storing it only introduces another way to bypass the PIN, so nevermind on that part
API 33 |
Please do not touch the backup system overly much, my PR reworks a lot there, including fixing sensitive keys. |
Your PR was the reason I created this instead of trying to fix it myself for this exact reason, I did not know it fixed the issue though, sorry about that. |
Steps to reproduce
Backup and then look at backup
Expected behavior
Sensitive data should not be in there
Actual behavior
Sensitive data is there
For example,
"opensubtitles_account_3/open_subtitles_user":"{\"user\":\"<real_username>\",\"pass\":\"<real_password>\",\"access_token\":\"<real_access_token>\"}"
From what I could tell, this is meant to be avoided by this, but it does not seem to work properly:
cloudstream/app/src/main/java/com/lagradost/cloudstream3/utils/BackupUtils.kt
Lines 51 to 69 in 8b73c35
Additionally we should probably add lockPin to be excluded from that as well. simkl_user maybe also, even though that only stores username and avatar, it can't be used on restore without reauthorization, especially if you restore on a different device. And another issue is when restoring it should only try to enable the plugins from restored repositories that you had enabled before, the only option seems to be none and do all needed knes manually again, or do all of them and remove ones you don't want again.
Also, automatic backups don't seem to always work on my phone. It does on TV and even emulator but on my phone, set to 3 hours and last backup was two days ago. Subscription worker doesn't seem to be triggered either. I notice subscriptions being updated on emulator on PC, but on phone, I never, as if the schedulers just don't work on the phone very often.
Cloudstream version and commit hash
4.2.1 8b73c35
Android version
Android 13
Logcat
No response
Other details
No response
Acknowledgements
The text was updated successfully, but these errors were encountered: