Modify

Opened 4 years ago

Closed 4 years ago

#7510 closed defect (fixed)

[patch] Don't cache password field content

Reported by: hasienda Owned by: hasienda
Priority: high Component: DataSaverPlugin
Severity: major Keywords: security precaution input cache
Cc: Trac Release: 0.11

Description

This plugin works great for me with Trac 0.12.1dev-r9990, but IMHO it's going little too far.

Today DataSaverPlugin basically is an effective password logger as well. I do use the login form provided by AccountManagerPlugin, and this is where the last username/password combination is cached and successfully restored later according to my tests tonight.

A privacy/security sensitive application would never want to restore any password field input or even cache such content at all. By doing so, DataSaverPlugin poses a considerable vulnerability, since even someone else could use it in the same browser to get valid authentication credentials, as long as cookies where not cleared meanwhile.

I judge this bad habit - hence looking at it as a major defect.

Attachments (0)

Change History (3)

comment:1 Changed 4 years ago by hasienda

  • Summary changed from Don't cache password field content to [patch] Don't cache password field content

Suggested fix could be easy: Just prevent reading of any input of type password. This would be sufficient:

 datasaver.js |    1 +
 1 file changed, 1 insertion(+)
  • datasaverplugin/0.12/datasaver/htdocs/datasaver.js

    diff --git a/datasaverplugin/0.12/datasaver/htdocs/datasaver.js b/datasaverplugin/0.12/datasaver/htdocs/datasaver.js
    a b  
    8383            var element = form.elements[elemidx];
    8484            if (element.type != 'submit' &&
    8585                element.type != 'hidden' &&
     86                element.type != 'password' &&
    8687                element.value)
    8788            {
    8889                formdata.push(

Verified to work with a patched version just fine, only user name is cached/restored then.

comment:2 Changed 4 years ago by hasienda

  • Owner changed from rharkins to hasienda

Taking over responsibility after plugin adoption.

comment:3 Changed 4 years ago by hasienda

  • Resolution set to fixed
  • Status changed from new to closed

(In [8703]) DataSaverPlugin: Prevent password input field data collection, closes #7510.

Add Comment

Modify Ticket

Action
as closed The owner will remain hasienda.
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.