New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

password possibly revealed in ZPublisher.HTTPRequest.text method #375

Closed
wlang42 opened this Issue Oct 14, 2018 · 1 comment

Comments

2 participants
@wlang42
Contributor

wlang42 commented Oct 14, 2018

The Zope class ZPublisher.HTTPRequest has a __str__ method, which
renders the request data in HTML. Accompaning to it, there is also a
text method, which returns exactly the same data in text
representation. With one exception: in opposition to __str__ the
text method does not suppress displaying the password.

In the Patch below the text() method uses the same
_filterPasswordFields method like __str__ does.

Proposed patch:

--- ZPublisher/HTTPRequest.py.ori.no_pw 2018-09-30 17:24:41.054632120 +0200
+++ ZPublisher/HTTPRequest.py      2018-09-30 18:04:07.684736073 +0200
@@ -1551,16 +1551,16 @@
     def text(self):
         result = "FORM\n\n"
         row = '%-20s %s\n'
-        for k, v in self.form.items():
+        for k, v in _filterPasswordFields(self.form.items()):
             result = result + row % (k, repr(v))
         result = result + "\nCOOKIES\n\n"
-        for k, v in self.cookies.items():
+        for k, v in _filterPasswordFields(self.cookies.items()):
             result = result + row % (k, repr(v))
         result = result + "\nLAZY ITEMS\n\n"
-        for k, v in self._lazies.items():
+        for k, v in _filterPasswordFields(self._lazies.items()):
             result = result + row % (k, repr(v))

wlang42 added a commit to wlang42/Zope that referenced this issue Oct 14, 2018

do not reveal passwords in the HTTPRequest.text() method. Use
the same filterPassword method as in the __str__ method.
See Issue zopefoundation#375

icemac added a commit that referenced this issue Oct 26, 2018

Fix: password possibly revealed in HTTPRequest.text() method (#376)
* do not reveal passwords in the HTTPRequest.text() method. Use
the same filterPassword method as in the __str__ method.
See Issue #375
@icemac

This comment has been minimized.

Member

icemac commented Oct 26, 2018

@wlang42 Thank you very much for reporting and fixing this issue. I included the fix for the next Zope 4 release.

Fixed in #376.

@icemac icemac closed this Oct 26, 2018

@icemac icemac added this to the 4.0b7 milestone Oct 26, 2018

@icemac icemac added this to To do in Zope 4 final release via automation Oct 26, 2018

@icemac icemac added the bug label Oct 26, 2018

@icemac icemac moved this from To do to Reviewer approved in Zope 4 final release Oct 26, 2018

@icemac icemac moved this from Reviewer approved to Done in Zope 4 final release Oct 26, 2018

icemac added a commit that referenced this issue Oct 30, 2018

icemac added a commit that referenced this issue Nov 7, 2018

Zope 2.13: password possibly revealed in HTTPRequest.text() method (#393
)

* Port the fix for #375 to Zope 2.13.
* Fix version ranges to be able to run buildout.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment