Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-51050

Some forms with passwords and usernames get populated by the browser, which is not desired - backport of MDL-45772

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide

      On all browsers

      1. Log in to your moodle course as an admin
      2. In the browser, select to save your password
      3. Site administration ► Plugins ► Enrolments ► Manage enrol plugins
      4. Enable Guest access
      5. Create a course
      6. On that creation screen, or course edit screen, check that your username does not appear in the id field, and your password does not appear in the guest access password field
      7. Save the form
      8. Use firebug (or the chrome inspecter or the equivalent in the current browser) to view the "form data" and make sure your password wasn't passed
        1. Open the inspector
        2. Click the network tab
        3. Select the request at the top (you may need to scroll)
        4. Select the headers tab
        5. Scroll to "Form data"
      9. Verify that editing groups does not autofill enrolment keys.
      10. Verify that editing self-enrolment settings does not autofill enrolment keys.
      11. Search admin settings for "password"
      12. Ensure that no password fields are automatically filled and it has no additional space at the top of the form when compared with stable
      13. Go to quiz admin settings
      14. Ensure the password field is not automatically filled and it has no additional space at the top of the form when compared with stable
      15. Try logging in
      16. Ensure that your password is autofilled as expected
      17. On your database, run this sql: DELETE FROM mdl_config where name = 'smtppass' OR name = 'smtpuser'
      18. Go to Site administration > Notifications and click check for updates
      19. Make sure the username and password are not filled in automatically and it has no additional space at the top of the form, compared to stable
      Show
      On all browsers Log in to your moodle course as an admin In the browser, select to save your password Site administration ► Plugins ► Enrolments ► Manage enrol plugins Enable Guest access Create a course On that creation screen, or course edit screen, check that your username does not appear in the id field, and your password does not appear in the guest access password field Save the form Use firebug (or the chrome inspecter or the equivalent in the current browser) to view the "form data" and make sure your password wasn't passed Open the inspector Click the network tab Select the request at the top (you may need to scroll) Select the headers tab Scroll to "Form data" Verify that editing groups does not autofill enrolment keys. Verify that editing self-enrolment settings does not autofill enrolment keys. Search admin settings for "password" Ensure that no password fields are automatically filled and it has no additional space at the top of the form when compared with stable Go to quiz admin settings Ensure the password field is not automatically filled and it has no additional space at the top of the form when compared with stable Try logging in Ensure that your password is autofilled as expected On your database, run this sql: DELETE FROM mdl_config where name = 'smtppass' OR name = 'smtpuser' Go to Site administration > Notifications and click check for updates Make sure the username and password are not filled in automatically and it has no additional space at the top of the form, compared to stable
    • Affected Branches:
      MOODLE_27_STABLE
    • Fixed Branches:
      MOODLE_27_STABLE
    • Pull from Repository:

      Description

      In MDL-45772 an original way to avoid browsers to auto-fill (and send) passwords for some fields was implemented. And, by our (integration team) mistake/misunderstanding, it was not backported to 2.7 LTS, where the potential password disclosure is important enough.

      So this is about to backport that issue to 27_STABLE.

      That is it.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                1 Vote for this issue
                Watchers:
                8 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Fix Release Date:
                  14/Sep/15