Modify

Opened 7 years ago

Closed 7 years ago

#7510 closed defect (fixed)

[patch] Don't cache password field content

Reported by: Steffen Hoffmann Owned by: Steffen Hoffmann
Priority: high Component: DataSaverPlugin
Severity: major Keywords: security precaution input cache
Cc: Trac Release: 0.11

Description

This plugin works great for me with Trac 0.12.1dev-r9990, but IMHO it's going little too far.

Today DataSaverPlugin basically is an effective password logger as well. I do use the login form provided by AccountManagerPlugin, and this is where the last username/password combination is cached and successfully restored later according to my tests tonight.

A privacy/security sensitive application would never want to restore any password field input or even cache such content at all. By doing so, DataSaverPlugin poses a considerable vulnerability, since even someone else could use it in the same browser to get valid authentication credentials, as long as cookies where not cleared meanwhile.

I judge this bad habit - hence looking at it as a major defect.

Attachments (0)

Change History (3)

comment:1 Changed 7 years ago by Steffen Hoffmann

Summary: Don't cache password field content[patch] Don't cache password field content

Suggested fix could be easy: Just prevent reading of any input of type password. This would be sufficient:

 datasaver.js |    1 +
 1 file changed, 1 insertion(+)
  • datasaverplugin/0.12/datasaver/htdocs/datasaver.js

    diff --git a/datasaverplugin/0.12/datasaver/htdocs/datasaver.js b/datasaverplugin/0.12/datasaver/htdocs/datasaver.js
    a b  
    8383            var element = form.elements[elemidx];
    8484            if (element.type != 'submit' &&
    8585                element.type != 'hidden' &&
     86                element.type != 'password' &&
    8687                element.value)
    8788            {
    8889                formdata.push(

Verified to work with a patched version just fine, only user name is cached/restored then.

comment:2 Changed 7 years ago by Steffen Hoffmann

Owner: changed from Rich Harkins to Steffen Hoffmann

Taking over responsibility after plugin adoption.

comment:3 Changed 7 years ago by Steffen Hoffmann

Resolution: fixed
Status: newclosed

(In [8703]) DataSaverPlugin: Prevent password input field data collection, closes #7510.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Steffen Hoffmann.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.