Task #70214

rsaauth should not send hashed password hash to formengine

Added by Markus Klein almost 4 years ago. Updated almost 4 years ago.

Status:
Closed
Priority:
Should have
Assignee:
Category:
-
Target version:
-
Start date:
2015-09-30
Due date:
% Done:

0%

TYPO3 Version:
7
PHP Version:
Tags:
Complexity:
Sprint Focus:

Description

Currently, the hashed password is transmitted to the browser, when a beuser is edited.
This is necessary, as otherwise the current password would be overwritten.

In my opinion it is a bad practice to send (even a hashed) password around. Data should only flow in one direction, from the browser to the server.


Related issues

Duplicates TYPO3 Core - Task #59233: Do not transfer content of fields with eval=password Accepted 2014-05-30

History

#1 Updated by Martin Kutschker almost 4 years ago

Yes, password equivalents should not be transmitted (insecurely) without a good reason.

#2 Updated by Helmut Hummel almost 4 years ago

  • Status changed from New to Closed

closed as duplicate

#3 Updated by Helmut Hummel almost 4 years ago

  • Project changed from Core Security to TYPO3 Core

can safely be handled in public tracker

Also available in: Atom PDF