Project

General

Profile

Actions
Copy link

Task #59233

open

Do not transfer content of fields with eval=password

Added by Franz G. Jahn almost 10 years ago. Updated over 6 years ago.

Status:
Accepted
Priority:
Should have
Assignee:
-
Category:
Security
Target version:
Candidate for patchlevel
Start date:
2014-05-30
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
8
PHP Version:
Tags:
security
Complexity:
hard
Sprint Focus:

Description

When you edit an arbitrary record with a password field, the content of the password field (as stored in the database) is transfered to the user. This affects i.e. the value of backend user passwords if the backend user record is edited by admins. This might imply that the password hash is transfered over an unencrypted connection without any need.

It would be nice if the content of password fields would not be part of the delivered html.

Related issues 2 (0 open2 closed)

Has duplicate TYPO3 Core - Task #70214: rsaauth should not send hashed password hash to formengineClosedMarkus Klein2015-09-30

Actions
Has duplicate TYPO3 Core - Task #80017: Security: Do not send password hashes when editing user recordsClosed2017-02-25

Actions
Actions
Copy link

Also available in: Atom PDF