Bug #14805
closed
FE user passwords shown in page module and info popup of list module
0%
Description
Since 3.8 FE user passwords are rendered as password fields. BUT, they are shown both in the page module (listed records beneath the page content) and in the item view popup (info) of the list module.
Is this a security related bug? Need this fixed in 3.8.1?
(issue imported from #M1181)
Files
Updated by Martin Kutschker over 17 years ago
Reopened, because there is no information which bug number is the duplicate.
Updated by Franz Holzinger over 17 years ago
You can use TSconfig to make the password field disappear from the LIST module. Or what should get changed here?
Updated by Martin Kutschker over 17 years ago
If the TCA field is configured to hide the contents of the field, then Web>Page should not show the value of the field. Otherwise it's pointless.
So by default Web>List must be configured not to show the password field any more.
Updated by Michael Stucki over 17 years ago
I suggest to turn down these plain-text passwords completely and use MD5-summed password instead. Transition will be possible using the compatVersion feature...
Updated by Martin Kutschker over 17 years ago
Well, md5 ist an option, but only for 4.1. For 4.0.x the password must be hidden (or shown everywhere) to have a consistent UI.
Though I'd like to see md5-FE-passwords as an option. In fact I dislike the hiding of the passwords, but argue here solely on basis of UI-consitency.
Updated by Michael Stucki over 17 years ago
I see. Of course this makes sense then.
Updated by Franz Holzinger over 17 years ago
I think the default behaviour should remain as is for backwards compatibility reasons.
Desribe me more detailled what should be done here and I can provide a patch.
Updated by Martin Kutschker over 17 years ago
Web>page is currently configured/hardcoded in such a way that it shows the password file.
Also the the passwordfields is listed in interface[showRecordFieldList] of the TCA.
Updated by Franz Holzinger over 17 years ago
In tbl_cms.php we have
$TCA['fe_users'] = Array (
...
'columns' => Array (
...
'password' => Array (
'label' => 'LLL:EXT:cms/locallang_tca.php:fe_users.password',
'config' => Array (
'type' => 'input',
'size' => '10',
'max' => '40',
'eval' => 'nospace,required,password'
)
),
'types' => Array (
'0' => Array('showitem' => 'username;;;;2-2-2, password, usergroup, lockToDomain, --div--, name;;2;;3-3-3, address, zip, city, country, telephone, fax, email, www, image;;;;4-4-4, --div--, TSconfig;;;;5-5-5')
),
------------------------------------
So the Web->Page should check the TCA field, if eval contains 'password' and if true then this field should not be listed.
The same for the LIST module popup of the fe_users info.
Updated by Michael Stucki over 15 years ago
Do not close bugs before a fix has been released! Instead, change them to "resolved".