Actions
Task #59233
closed
Do not transfer content of fields with eval=password
Start date:
2014-05-30
Due date:
% Done:
0%
Estimated time:
TYPO3 Version:
8
PHP Version:
Tags:
security
Complexity:
hard
Sprint Focus:
Description
When you edit an arbitrary record with a password field, the content of the password field (as stored in the database) is transfered to the user. This affects i.e. the value of backend user passwords if the backend user record is edited by admins. This might imply that the password hash is transfered over an unencrypted connection without any need.
It would be nice if the content of password fields would not be part of the delivered html.
Updated by Mathias Schreiber almost 9 years ago
- Tracker changed from Feature to Task
- Target version set to Candidate for patchlevel
- TYPO3 Version set to 6.2
Affected elements:
- FormEngine InputElement
- FormEngine RSAElement
- autocomplete = off
- set hidden field to disabled and only set enabled on change
- remove hidden field value
Updated by Markus Klein almost 9 years ago
- Category set to FormEngine aka TCEforms
- Status changed from New to Accepted
- Assignee set to Markus Klein
- Priority changed from Should have to Must have
- Complexity set to hard
Will be fixed in CMS 7 only if possible at all, otherwise CMS 8.
Updated by Helmut Hummel over 8 years ago
- Category changed from FormEngine aka TCEforms to Security
- Target version changed from Candidate for patchlevel to 8 LTS
Updated by Benni Mack over 7 years ago
- Target version changed from 8 LTS to Candidate for patchlevel
Updated by Markus Klein about 7 years ago
- Assignee deleted (
Markus Klein) - Priority changed from Must have to Should have
Updated by Oliver Hader almost 6 years ago
- Has duplicate Task #80017: Security: Do not send password hashes when editing user records added
Updated by Georg Ringer 5 months ago
- Status changed from Accepted to Closed
as https is now standard, free and everywhere, I don't see a need to change anything - therefore closing this issue
Actions