Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mail settings editor is storing user password if autocomplete in browser is enabled #11385

Closed
LukasReschke opened this issue Oct 1, 2014 · 3 comments
Closed

Mail settings editor is storing user password if autocomplete in browser is enabled #11385

LukasReschke opened this issue Oct 1, 2014 · 3 comments
Assignees
@LukasReschke
Labels
security Type:Bug
Milestone
2014-sprint-06

Comments

@LukasReschke
Copy link
Member

If the user password is stored in the browser and the admin visits the "admin page" the stored login credentials are written unencrypted to config.php without any notice to the user (i.e. even the admin page does not show something) - this is dangerous for multiple reasons and needs to be addressed.

@karlitschek @craigpg Gold for me though not relevant for beta - we can merge the fix together with 7.0.3. - Will create a fix later this week.
@LukasReschke LukasReschke self-assigned this Oct 1, 2014
@LukasReschke LukasReschke added this to the 2014-sprint-05-current milestone Oct 1, 2014
@craigpg
Copy link

craigpg commented Oct 1, 2014

@LukasReschke, great catch.

@karlitschek
Copy link
Contributor

thanks @LukasReschke

LukasReschke added a commit that referenced this issue Oct 3, 2014
@LukasReschke
Refactor MailSettings controller
335d3aa 
- Do not store the password (fixes #11385)
- Refactor to AppFramework
- Add unit tests
@LukasReschke LukasReschke mentioned this issue Oct 3, 2014
Merged
LukasReschke added a commit that referenced this issue Oct 10, 2014
@LukasReschke
Refactor MailSettings controller
b089b85 
- Do not store the password (fixes #11385)
- Refactor to AppFramework
- Add unit tests
@craigpg craigpg modified the milestones: 2014-sprint-06-current, 2014-sprint-05 Oct 12, 2014
@DeepDiver1975
Copy link
Member

closing after merge of #11408

LukasReschke added a commit that referenced this issue Oct 14, 2014
@LukasReschke @DeepDiver1975
Refactor MailSettings controller
13b1b45 
- Do not store the password (fixes #11385)
- Refactor to AppFramework
- Add unit tests

Conflicts:
	settings/admin/controller.php
@lock lock bot locked as resolved and limited conversation to collaborators Aug 15, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@LukasReschke LukasReschke

Labels
security Type:Bug
Projects
None yet
Milestone
2014-sprint-06
Development

No branches or pull requests
4 participants
@craigpg @karlitschek @LukasReschke @DeepDiver1975