Project

General

Profile

Actions

Bug #14805

closed

FE user passwords shown in page module and info popup of list module

Added by Martin Kutschker over 19 years ago. Updated almost 16 years ago.

Status:
Closed
Priority:
Must have
Assignee:
-
Category:
-
Target version:
-
Start date:
2005-06-08
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
4.0
PHP Version:
4.3
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Since 3.8 FE user passwords are rendered as password fields. BUT, they are shown both in the page module (listed records beneath the page content) and in the item view popup (info) of the list module.

Is this a security related bug? Need this fixed in 3.8.1?
(issue imported from #M1181)


Files

password_in_info.png (17.3 KB) password_in_info.png Administrator Admin, 2008-10-30 21:36

Related issues 3 (0 open3 closed)

Related to TYPO3 Core - Bug #22588: fe_user passwords are visible in the info popup window in the backendClosedSteffen Kamper2010-05-04

Actions
Has duplicate TYPO3 Core - Bug #19616: Don't show fe_users password in page moduleClosedSteffen Kamper2008-11-15

Actions
Has duplicate TYPO3 Core - Bug #20295: fe_user passwords are visible in the backendClosedChris topher2009-04-09

Actions
Actions #1

Updated by Martin Kutschker over 18 years ago

Reopened, because there is no information which bug number is the duplicate.

Actions #2

Updated by Franz Holzinger about 18 years ago

You can use TSconfig to make the password field disappear from the LIST module. Or what should get changed here?

Actions #3

Updated by Martin Kutschker about 18 years ago

If the TCA field is configured to hide the contents of the field, then Web>Page should not show the value of the field. Otherwise it's pointless.

So by default Web>List must be configured not to show the password field any more.

Actions #4

Updated by Michael Stucki about 18 years ago

I suggest to turn down these plain-text passwords completely and use MD5-summed password instead. Transition will be possible using the compatVersion feature...

Actions #5

Updated by Martin Kutschker about 18 years ago

Well, md5 ist an option, but only for 4.1. For 4.0.x the password must be hidden (or shown everywhere) to have a consistent UI.

Though I'd like to see md5-FE-passwords as an option. In fact I dislike the hiding of the passwords, but argue here solely on basis of UI-consitency.

Actions #6

Updated by Michael Stucki about 18 years ago

I see. Of course this makes sense then.

Actions #7

Updated by Franz Holzinger about 18 years ago

I think the default behaviour should remain as is for backwards compatibility reasons.

Desribe me more detailled what should be done here and I can provide a patch.

Actions #8

Updated by Martin Kutschker about 18 years ago

Web>page is currently configured/hardcoded in such a way that it shows the password file.

Also the the passwordfields is listed in interface[showRecordFieldList] of the TCA.

Actions #9

Updated by Franz Holzinger about 18 years ago

In tbl_cms.php we have
$TCA['fe_users'] = Array (
...
'columns' => Array (
...
'password' => Array (
'label' => 'LLL:EXT:cms/locallang_tca.php:fe_users.password',
'config' => Array (
'type' => 'input',
'size' => '10',
'max' => '40',
'eval' => 'nospace,required,password'
)
),
'types' => Array (
'0' => Array('showitem' => 'username;;;;2-2-2, password, usergroup, lockToDomain, --div--, name;;2;;3-3-3, address, zip, city, country, telephone, fax, email, www, image;;;;4-4-4, --div--, TSconfig;;;;5-5-5')
),
------------------------------------

So the Web->Page should check the TCA field, if eval contains 'password' and if true then this field should not be listed.
The same for the LIST module popup of the fe_users info.

Actions #10

Updated by Martin Kutschker about 16 years ago

Dupe has been fixed.

Actions #11

Updated by Michael Stucki about 16 years ago

Do not close bugs before a fix has been released! Instead, change them to "resolved".

Actions

Also available in: Atom PDF