Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Add htmlInstaller support for password input fields #25

Open
jennings opened this Issue · 1 comment

2 participants

Stephen Jennings Daniel Doubrovkine (dB.) @dblockdotorg
Stephen Jennings

I have a desire to add <input type="password"> support to htmlInstaller, and I think this feature is applicable to be merged back into the main project.

It's a really easy change on the face of it (see jennings@4708b53), but if you have logging turned on, the password gets logged. This may not be what the user expects or desires. Should we also mask the value on the "Setting user-defined edit value" line for password fields (easy) or somehow mask the password if it gets passed as an argument to a component (much harder, I think)?

We use DNI for internal tools so we always have logging turned on for debugging purposes, but most people probably keep logging disabled by default, so maybe logging passwords isn't such a bad thing.

Daniel Doubrovkine (dB.) @dblockdotorg
Owner

I think logging passwords is a bad thing and I would go with an implementation that works much like MSI: you should be able to declare properties as 'secure' and therefore never logged. I see a few different ways to do it, but ultimately you want to know what's secure and what's not secure inside InstallerSession::Instance->AdditionalControlArgs.

A somewhat hacky way to do this may be do do a convention, where secure variables have to start with S: and strip anything that's S:* in LOG.

Stephen Jennings jennings referenced this issue from a commit in jennings/dotnetinstaller
Stephen Jennings jennings Set user-defined values from password fields 4708b53
Daniel Doubrovkine (dB.) @dblockdotorg dblock referenced this issue
Closed

password box #70

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.