[patch] Don't cache password field content
|Reported by:||Steffen Hoffmann||Owned by:||Steffen Hoffmann|
|Severity:||major||Keywords:||security precaution input cache|
This plugin works great for me with Trac 0.12.1dev-r9990, but IMHO it's going little too far.
Today DataSaverPlugin basically is an effective password logger as well. I do use the login form provided by AccountManagerPlugin, and this is where the last username/password combination is cached and successfully restored later according to my tests tonight.
A privacy/security sensitive application would never want to restore any password field input or even cache such content at all. By doing so, DataSaverPlugin poses a considerable vulnerability, since even someone else could use it in the same browser to get valid authentication credentials, as long as cookies where not cleared meanwhile.
I judge this bad habit - hence looking at it as a major defect.