Task #59233
closed
Do not transfer content of fields with eval=password
Added by Franz G. Jahn over 10 years ago.
Updated 5 months ago.
Description
When you edit an arbitrary record with a password field, the content of the password field (as stored in the database) is transfered to the user. This affects i.e. the value of backend user passwords if the backend user record is edited by admins. This might imply that the password hash is transfered over an unencrypted connection without any need.
It would be nice if the content of password fields would not be part of the delivered html.
- Tracker changed from Feature to Task
- Target version set to Candidate for patchlevel
- TYPO3 Version set to 6.2
Affected elements:
- FormEngine InputElement
- FormEngine RSAElement
Solution 1:
- autocomplete = off
- set hidden field to disabled and only set enabled on change
- remove hidden field value
- Category set to FormEngine aka TCEforms
- Status changed from New to Accepted
- Assignee set to Markus Klein
- Priority changed from Should have to Must have
- Complexity set to hard
Will be fixed in CMS 7 only if possible at all, otherwise CMS 8.
- TYPO3 Version changed from 6.2 to 8
- Category changed from FormEngine aka TCEforms to Security
- Target version changed from Candidate for patchlevel to 8 LTS
- Target version changed from 8 LTS to Candidate for patchlevel
- Assignee deleted (
Markus Klein)
- Priority changed from Must have to Should have
- Has duplicate Task #80017: Security: Do not send password hashes when editing user records added
- Status changed from Accepted to Closed
as https is now standard, free and everywhere, I don't see a need to change anything - therefore closing this issue
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by