Opened 14 years ago
Closed 14 years ago
#7510 closed defect (fixed)
[patch] Don't cache password field content
| Reported by: | Steffen Hoffmann | Owned by: | Steffen Hoffmann |
|---|---|---|---|
| Priority: | high | Component: | DataSaverPlugin |
| Severity: | major | Keywords: | security precaution input cache |
| Cc: | Trac Release: | 0.11 |
Description
This plugin works great for me with Trac 0.12.1dev-r9990, but IMHO it's going little too far.
Today DataSaverPlugin basically is an effective password logger as well. I do use the login form provided by AccountManagerPlugin, and this is where the last username/password combination is cached and successfully restored later according to my tests tonight.
A privacy/security sensitive application would never want to restore any password field input or even cache such content at all. By doing so, DataSaverPlugin poses a considerable vulnerability, since even someone else could use it in the same browser to get valid authentication credentials, as long as cookies where not cleared meanwhile.
I judge this bad habit - hence looking at it as a major defect.
Attachments (0)
Change History (3)
comment:1 Changed 14 years ago by
| Summary: | Don't cache password field content → [patch] Don't cache password field content |
|---|
comment:2 Changed 14 years ago by
| Owner: | changed from Rich Harkins to Steffen Hoffmann |
|---|
Taking over responsibility after plugin adoption.
comment:3 Changed 14 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
(In [8703]) DataSaverPlugin: Prevent password input field data collection, closes #7510.
Suggested fix could be easy: Just prevent reading of any input of type
password. This would be sufficient:datasaverplugin/0.12/datasaver/htdocs/datasaver.js
Verified to work with a patched version just fine, only user name is cached/restored then.