Actions
Task #59233
openDo not transfer content of fields with eval=password
Status:
Accepted
Priority:
Should have
Assignee:
-
Category:
Security
Target version:
Start date:
2014-05-30
Due date:
% Done:
0%
Estimated time:
TYPO3 Version:
8
PHP Version:
Tags:
security
Complexity:
hard
Sprint Focus:
Description
When you edit an arbitrary record with a password field, the content of the password field (as stored in the database) is transfered to the user. This affects i.e. the value of backend user passwords if the backend user record is edited by admins. This might imply that the password hash is transfered over an unencrypted connection without any need.
It would be nice if the content of password fields would not be part of the delivered html.
Actions