-
Notifications
You must be signed in to change notification settings - Fork 444
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hide DB password in the administration "system info" page #7716
Comments
Not sure if it need to be a bug or a feature request. |
@asmecher seems like a sensible change, but do you find that the community needs this information in the admin screen to get adequate support? |
No, I haven't seen problems e.g. in the forum that have led to users tracking down database passwords here. I've always sent them to the configuration file (which is usually painless). |
A few questions about this issue. In the template file, it is getting the password from the value in settings within the database configData category. At least, from what I am understanding about smarty templates. Please correct me if I am incorrect, and I was trying to see where it is pulling these variables from exactly. So, I would appreciate if someone could point me to that location. Is it a better option to not print out the password at all, or redact it with asterisks? Additionally, should it be an option for users to pick either of those two options or none of them at all? |
Hi @Tyl13! The PHP controller class that's responsible for the systemInfo display is $templateMgr->assign([
...
'configData' => Config::getData(),
);
$templateMgr->display('admin/systemInfo.tpl'); The |
Redact it with asterisks, but do not make the string the same length. In other words, if my password is
No options are needed. Just redact the password. |
* Redacts DB password * Reduced changes to 4 lines * Removed extra line
* Redacts DB password * Reduced changes to 4 lines * Removed extra line
Thanks, @Tyl13! |
Reopening. The existing change compares the |
Whoops -- fixed. Thanks, @ctgraham. |
Not sure if I should reopen this or create a new issue. Taking the problem form a generic perspective, the point is the full page is too much... "verbose", and a lot of sensitive is shown there. As far as journalmanagers and editors could reach this page, it's a security concern. It's not only the dbpwd, there are a few more fields the sysadmin won't probably like to share with journalmanagers/editors, so I suggest hide (as we did with the DB password) any pwd, key, secret (even usernames?) included in this page. My preliminary list of fields to be hiden (as sysadmin could always check them in config.ini.php) is:
I would also suggest to remove the last link with the phpinfo() output we have in the bottom of the page, as some sensitive data could be exposed there and is info the sysadmin could reach whenever he/she likes to. |
How are journal managers or editor reaching this page? I think it requires the Administrator (last tested: OJS 3.4). |
My fault Clinton. But do we really need to expose this sensitive data to them? |
I make a distinction between credentials that I would pass along to a new owner, and those credentials which I would keep private, if I transferred the OJS installation to another party. From your list, I think the database password, the smtp secrets, and the ReCAPTCHA private key all fall into the category of secrets that belong to the hosting provider, not to the hosted journal. I would suggest opening a new issue or discussion and linking to this closed issue. |
Describe the bug
Every user with rights to see the Administration pages can see the DB pwd.
As far as admins know this info (or can check it in the config.inc.php) may be is a good idea not showing this info in this pages... or at least, transform it to asterisks.
To Reproduce
Steps to reproduce the behavior:
What application are you using?
OJS, 3.x
Additional information
The text was updated successfully, but these errors were encountered: