Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

plain text password in the database #3421

Closed
ukcb opened this issue Jul 10, 2018 · 10 comments · Fixed by #4435
Closed

plain text password in the database #3421

ukcb opened this issue Jul 10, 2018 · 10 comments · Fixed by #4435
Assignees
Labels
Milestone

Comments

@ukcb
Copy link

ukcb commented Jul 10, 2018

I can see my admin password in plain text in the database.

sessionstorage:-FWbiguBVxp1_VWLERNNheogwak9aewi {"cookie":
{"path":"/","_expires":null,"originalMaxAge":null,"httpOnly":true,"secure":false},
"passport":{},"user":{"password":"Here is a plain text password!",
"is_admin":true,"username":"admin"}}

That must not happen!

v1.6.6

@JohnMcLear
Copy link
Member

Steps to replicate

  1. Uncomment password section
  2. Visit /admin
  3. Cat var/dirty.db | grep YOURPASS

@JohnMcLear
Copy link
Member

PR in to fix.
#3782

muxator pushed a commit to JohnMcLear/etherpad-lite that referenced this issue Apr 1, 2020
@muxator muxator closed this as completed in 53f1260 Apr 1, 2020
muxator pushed a commit to anttiviljami/etherpad-lite that referenced this issue Apr 2, 2020
@alasserr
Copy link

alasserr commented May 15, 2020

Hi, the 5c5b99f commit makes etherpad not usable (at least with the Docker version) :

  • at first login, the admin password is the one one's set it up from Docker variables environment
  • but then the login is changed to "PASSWORD_HIDDEN"
    I'm not sure it only concerns Docker versions but this is a HUGE problem.

Using etherpad/etherpad (1.8.4) with postgresQL DB. From Docker. But I tried modifying the password directly in settings.json => same issue (first login OK, second > PASSWORD_HIDDEN) so I'm not sure it is 100% Docker related.

Edit : I confirm that when I remove the code added by @JohnMcLear on file src/node/db/SessionStore.js from lines 40 to 45 the password is now kept between sessions.

@JohnMcLear
Copy link
Member

Weird. I'm not sure how doesn't affect non docker deployed versions tho?

@JohnMcLear
Copy link
Member

JohnMcLear commented May 15, 2020

I can't even get the password prompt. I changed password and I'm not re-prompted..

jose@server:~/develop$ cat settings.json | grep pass | grep derp
      "password": "derp",

What are you doing to get the re-prompt?

I went through every step and maybe it's related to just setting the password through the password environment variable? If you set the password with settings.json are things okay? I'm not suggestion you should I'm just trying to isolate the cause / scope of impact.

@muxator
Copy link
Contributor

muxator commented May 16, 2020

The bug reported by @alasser is confirmed and it's not related to Docker.
I should have been more thorough in #3782 (comment), sorry.

Let's move the discussion on #4016.

rhansen added a commit to rhansen/etherpad-lite that referenced this issue May 16, 2020
…ing in db"

This reverts commit 53f1260, which
broke user authentication.

Fixes issue ether#4016.
Reopens issue ether#3421.
muxator pushed a commit that referenced this issue May 17, 2020
…ing in db"

This reverts commit 53f1260, which
broke user authentication.

Fixes issue #4016.
Reopens issue #3421.
@rhansen
Copy link
Member

rhansen commented May 17, 2020

This issue should be repoened (the fix that closed this issue was reverted).

rhansen added a commit to rhansen/etherpad-lite that referenced this issue May 17, 2020
…ing in db"

This reverts commit 53f1260, which
broke user authentication.

Fixes issue ether#4016.
Reopens issue ether#3421.

(cherry picked from commit 901a3f3)
muxator pushed a commit that referenced this issue May 22, 2020
…ing in db"

This reverts commit 53f1260, which
broke user authentication.

Fixes issue #4016.
Reopens issue #3421.

(cherry picked from commit 901a3f3)
@JohnMcLear JohnMcLear reopened this Jul 19, 2020
@JohnMcLear JohnMcLear modified the milestones: 1.8.3, 1.9 Sep 9, 2020
@JohnMcLear
Copy link
Member

@rhansen can you think of a way to solve this issue? It's one of the most critical for 1.9

@rhansen
Copy link
Member

rhansen commented Oct 25, 2020

@JohnMcLear Wasn't this fixed by #4178?

@rhansen
Copy link
Member

rhansen commented Oct 25, 2020

Oh, this is different.

Hmm... I think we can store a shallow copy of the settings.users[username] object as req.session.user and remove the password field from that copy. I'll toss together a PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging a pull request may close this issue.

5 participants