Bug #69153

Password in form is transferred as asterisks to TYPO3

Added by Olaf Döring over 4 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Must have
Assignee:
-
Category:
-
Target version:
Start date:
2015-08-18
Due date:
% Done:

100%

TYPO3 Version:
7
PHP Version:
5.6
Tags:
Complexity:
Is Regression:
Yes
Sprint Focus:
Remote Sprint

Description

Testing with current 3.0.2-dev and TYPO3 7.4 the password for connecting to the LDAP-Server is stored as "********" in database.

Changing it directly in database to the correct password will work and password will be kept correctly if you do not change it.

Changing the Password in Backend-Form will also store "********" in Database.

Testet in Chrome and Internet Explorer 11. Perhaps it is an TYPO3 7.4 issue.

Associated revisions

Revision a25b2293 (diff)
Added by Xavier Perseguers over 4 years ago

[BUGFIX] Password in form is transferred as asterisks

Due to a wrong usage of $.inArray() which possibly returns
"0" if element is found at the first position within an array,
TCA fields with a single eval statement "password" are not
properly transferred to TYPO3.

Change-Id: Ic2647fbefc0ea7c9fef88288946af91343fcc55c
Resolves: #69153
Releases: master
Reviewed-on: http://review.typo3.org/42858
Reviewed-by: Andreas Fernandez <>
Tested-by: Andreas Fernandez <>
Reviewed-by: Wouter Wolters <>
Reviewed-by: Alexander Opitz <>
Tested-by: Alexander Opitz <>

History

#1 Updated by Xavier Perseguers over 4 years ago

  • Status changed from New to Accepted

#2 Updated by Xavier Perseguers over 4 years ago

Post request contains the asterisks:

------WebKitFormBoundary8dsJqzTTfI8XX6Lg
Content-Disposition: form-data; name="data[tx_igldapssoauth_config][3][ldap_password]_hr" 

********
------WebKitFormBoundary8dsJqzTTfI8XX6Lg
Content-Disposition: form-data; name="data[tx_igldapssoauth_config][3][ldap_password]" 

********
------WebKitFormBoundary8dsJqzTTfI8XX6Lg

#3 Updated by Xavier Perseguers over 4 years ago

  • Project changed from LDAP / SSO Authentication to TYPO3 Core
  • Subject changed from Password not written to database to Password in form is transferred as asterisks to TYPO3
  • Target version set to 7.5
  • PHP Version set to 5.6
  • Is Regression set to Yes
  • Sprint Focus set to Remote Sprint

How to reproduce

E.g., with EXT:ig_ldap_sso_auth, trying to create a standard record of type LDAP/SSO configuration.

Symptom

The Bind Password (second tab) cannot be saved, it is systematically converted to '*********' both in main field and in human readable one (_hr suffix in FormEngine).

Analysis

The faulty value is put into fields when the password field looses the focus, turning password into garberish but not storing the plain text (real) password either, making it impossible to retrieve it at a later stage and thus effectively persisting '*********' to the database.

#4 Updated by Gerrit Code Review over 4 years ago

  • Status changed from Accepted to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/42858

#5 Updated by Xavier Perseguers over 4 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100

#6 Updated by Riccardo De Contardi over 2 years ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF