• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use View topic Item7848 for generic doc work for TWiki-6.1.1. Use View topic Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
Does this site look broken?. Use the LitterTray web for test cases.

Item3583: 'configure' password gets saved as 'smtp' password (in plain text!)

Item Form Data

AppliesTo: Component: Priority: CurrentState: WaitingFor: TargetRelease ReleasedIn
Engine Configure Normal Closed   minor 4.1.3, 4.2.0

Edit Form Data

Summary:
Reported By:
Codebase:
Applies To:
Component:
Priority:
Current State:
Waiting For:
Target Release:
Released In:
 

Detail

Mine is a fresh install of 4.1.1 with some files copied over from the previous (4.0.5) installation

The problem is that the behavior of bin/configure with respect to the admin/configure password is strange (and possibly a security issue).

If I press 'Next' on the bin/configure page without changing any settings and there is sometimes a message:

1 configuration item was changed
{SMTP}{Password}
I then enter the configuration password in the box and press 'Save'. I get a popup message:
'Confirm password change' 
Confirm the user you are changing the password for
   <>
   MyWikiName

The strange thing is I am not attempting to change the password for anybody, I merely clicked on save to save the configuration. So I press 'Ok' selecting <> as the user, and the next page says:

{SMTP}{Password}
$TWiki::cfg{SMTP}{Password} = 'MyAdminPassword';

Now the fact that my admin password is saved in plain text in lib/LocalSite.cfg (as if it were the smtp password) is slightly worrying from a security point of view.

To try to figure out what is going on, I repeat the procedure

  • Back to configure
  • Press next
  • message saying SMTP password changed (I didn't change it)
  • enter password
  • press 'Save'
    • Confirm password change
    • Confirm the user you are changing the password for
    • ok
  • $TWiki::cfg{SMTP}{Password} = ''; 

Is this peculiar to my setup? I can give more details of the configure options and installed packages if needed Thanks , Jon

-- TWiki:Main/JonJackson - 08 Feb 2007

This happens because some browser try to be clever about password input fileds, by remembering the password for them. In fact we use a password field simply to hide the data entry; there is no intent to change anyone's password (stupid browsers). The correct course of action is to simply ignore the popup message (cancel it) and continue as normal.

This a nasty, and we really need to find a fix for it.

CC

-- TWiki:Main.CrawfordCurrie - 09 Feb 2007

simple smile add

-autocomplete=>'off' to the password field, and bob's you're auntie smile (ok, this is actually an IE-ism, but seems to help with my current FF, so I think it might be a good fix.)

quick whiparound makes it look like its an IE, gecko(2003) now Web Forms 2.0 thing

comitting it

SD

-- TWiki:Main.SvenDowideit - 09 Mar 2007

Good fix smile

Remember to put fixed core / default plugin items in Waiting for Release. Otherwise they will not make it to the release note.

KJL

ItemTemplate
Summary 'configure' password gets saved as 'smtp' password (in plain text!)
ReportedBy TWiki:Main.JonJackson
Codebase 4.1.1
SVN Range TWiki-4.1.1, Wed, 07 Feb 2007, build 12792
AppliesTo Engine
Component Configure
Priority Normal
CurrentState Closed
WaitingFor

Checkins TWikirev:13114 TWikirev:13115
TargetRelease minor
ReleasedIn 4.1.3, 4.2.0
Edit | Attach | Watch | Print version | History: r9 < r8 < r7 < r6 < r5 | Backlinks | Raw View |  Raw edit | More topic actions
Topic revision: r9 - 2008-01-22 - KennethLavrsen
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback