refactor: secure password transmission by QDBusUnixFileDescriptor

GongHeng2017 · GongHeng2017 · commit 29089d361b23 · 2026-05-20T17:23:51.000+08:00
Changed from using base64-encoded password strings to using QDBusUnixFileDescriptor for transmitting passwords during network mount operations Log: Enhanced security of password transmission in network mounting Influence: 1. Test network mount with password to ensure successful authentication 2. Verify anonymous mount still works without password 3. Validate password saving functionality when savePasswd is enabled 4. Test mount failure scenarios (wrong password, network error) to ensure error handling 5. Ensure compatibility with existing D-Bus service (MountControl) that expects file descriptor feat: 在网络挂载中使用文件描述符安全传输密码 将密码传输从 base64 编码字符串改为使用 QDBusUnixFileDescriptor Log: 改进了网络挂载中密码传输的安全性 Task: https://pms.uniontech.com/task-view-389921.html Influence: 1. 测试带密码的网络挂载，确保认证成功 2. 验证匿名挂载在无密码时仍能正常工作 3. 验证启用 savePasswd 时的密码保存功能 4. 测试挂载失败场景（错误密码、网络错误）以确保错误处理正常 5. 确保与现有 D-Bus 服务（MountControl）的兼容性，该服务期望接收文件描述符
diff --git a/src/dfm-mount/private/dnetworkmounter.cpp b/src/dfm-mount/private/dnetworkmounter.cpp
@@ -13,6 +13,7 @@
 #include <QDebug>
 #include <QTimer>
 #include <QtConcurrent>
+#include <QDBusUnixFileDescriptor>
 
 #include <libmount.h>
 
@@ -148,9 +149,7 @@ QList<QVariantMap> DNetworkMounter::loginPasswd(const QString &address)
         if (err)
             qDebug() << "query password failed: " << passwd << err->message;
         else {
-            // since daemon accept base64-ed passwd to mount cifs, cleartext should be encoded with base64
-            // see commit of dde-file-manager: 3b50664d4034754b15c1a516cfaab8c7fbdd3db9
-            passwd.insert(kLoginPasswd, QString(QByteArray(pwd).toBase64()));
+            passwd.insert(kLoginPasswd, pwd);
         }
     }
     return passwds;
@@ -471,12 +470,52 @@ void DNetworkMounter::mountByGvfsCallback(GObject *srcObj, GAsyncResult *res, gp
     delete finalize;
 }
 
+static QVariant preparePasswd(const QString &passwd)
+{
+    if (passwd.isEmpty()) {
+        qDebug() << "Created empty QVariant for empty passwd";
+        return QVariant("");
+    }
+
+    // Prepare passwd
+    const QByteArray passwdBytes = passwd.toLocal8Bit();
+
+    // Create pipe
+    int pipefds[2];
+    if (pipe(pipefds) == -1) {
+        qCritical() << "Failed to create pipe:" << strerror(errno);
+        return QVariant("");
+    }
+
+    // pipefds[0] is for reading
+    // pipefds[1] is for writing
+    int read_fd = pipefds[0];
+    int write_fd = pipefds[1];
+
+    // Write passwd to pipe
+    qint64 bytesWritten = write(write_fd, passwdBytes.constData(), passwdBytes.size());
+    close(write_fd);
+    if (bytesWritten != passwdBytes.size()) {
+        qCritical() << "Failed to write passwd to pipe.";
+        close(read_fd);
+        return QVariant("");
+    }
+
+    // Create file descriptor wrapper
+    QDBusUnixFileDescriptor dbusFd(read_fd);
+    // read_fd has been copied to QDBusUnixFileDescriptor
+    close(read_fd);
+
+    qDebug() << "Successfully created fd for passwd transmission";
+    return QVariant::fromValue(dbusFd);
+}
+
 DNetworkMounter::MountRet DNetworkMounter::mountWithUserInput(const QString &address,
                                                               const MountPassInfo info)
 {
     QVariantMap param { { kLoginUser, info.userName },
                         { kLoginDomain, info.domain },
-                        { kLoginPasswd, info.passwd },
+                        { kLoginPasswd, preparePasswd(info.passwd) },
                         { kLoginTimeout, info.timeout },
                         { kMountFsType, "cifs" } };
 
@@ -495,13 +534,8 @@ DNetworkMounter::MountRet DNetworkMounter::mountWithUserInput(const QString &add
     if (ok) {
         err = DeviceError::kNoError;
 
-        if (!info.anonymous && info.savePasswd != NetworkMountPasswdSaveMode::kNeverSavePasswd) {
-            // since passwd from user input is base64-ed data, so the passwd should be decoded into cleartext for saving.
-            // associated commit of dde-file-manager: 3b50664d4034754b15c1a516cfaab8c7fbdd3db9
-            auto _info = info;
-            _info.passwd = QByteArray::fromBase64(info.passwd.toLocal8Bit());
-            savePasswd(address, _info);
-        }
+        if (!info.anonymous && info.savePasswd != NetworkMountPasswdSaveMode::kNeverSavePasswd)
+            savePasswd(address, info);
     }
 
     return { ok, err, mpt };
@@ -517,7 +551,7 @@ DNetworkMounter::MountRet DNetworkMounter::mountWithSavedInfos(const QString &ad
     for (const auto &login : infos) {
         QVariantMap param { { kLoginUser, login.value(kSchemaUser, "") },
                             { kLoginDomain, login.value(kSchemaDomain, "") },
-                            { kLoginPasswd, login.value(kLoginPasswd, "") },
+                            { kLoginPasswd, preparePasswd(login.value(kLoginPasswd, "").toString()) },
                             { kLoginTimeout, secs },
                             { kMountFsType, "cifs" } };
 
