Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-53048

Create new "password" fields that are not auto-filled by password managers

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide

      Behat should run as normal. You may like to run the behat tests for the enrol_self plugin too to verify

      1. Create a new course
      2. View the list of enrolment methods
      3. Enable the self-enrolment instance
      4. Edit the self-enrolment instance
      5. Attempt to navigate away without saving changes
        1. Confirm no form change check
      6. Click to set an enrolment key
      7. Attempt to navigate away without saving changes
        1. Confirm form change checker came up
      8. Do not move away
      9. Play around with the password unmask in the enrolment key field:
        1. Use keyboard (enter) to toggle between editor and display
        2. Tab to the view icon and toggle between masked and unmasked
        3. Try toggling the masking whilst using the editor too
      10. Save changes
        1. Confirm no form change check
      11. For master and 31:
        1. Open enrol/self/lib.php in your editor and find the edit_instance_form function
      12. For 30:
        1. Open enrol/self/edit_form.php in your editor and find the definition
      13. Find where the password form is defined and add the following line after it:

        $mform->freeze('password');
        

      14. View the form in your browser again
        1. Confirm that the passwordunmask is missing the edit icon and that you can only toggle the value
      15. Modify the form definition again and change the freeze to a hardFreeze:

        $mform->hardFreeze('password');
        

      16. View the form in your browser again
        1. Confirm that the passwordunmask is missing the edit icon and that you can only toggle the value
      17. View the page source
        1. Confirm that the "name" attribute is missing from the hidden input element associated with the form
        2. Set the value to something different
      18. Find the validation function for the form (same file, called edit_instance_validation in master/31 and validation on 30).
      19. Edit it to add:

        var_dump($_POST);
        var_dump($data);
        die;
        

      20. Submit the form
        1. Confirm that the 'password' was not included in the $_POST output but was included in the $data
      Show
      Behat should run as normal. You may like to run the behat tests for the enrol_self plugin too to verify Create a new course View the list of enrolment methods Enable the self-enrolment instance Edit the self-enrolment instance Attempt to navigate away without saving changes Confirm no form change check Click to set an enrolment key Attempt to navigate away without saving changes Confirm form change checker came up Do not move away Play around with the password unmask in the enrolment key field: Use keyboard (enter) to toggle between editor and display Tab to the view icon and toggle between masked and unmasked Try toggling the masking whilst using the editor too Save changes Confirm no form change check For master and 31: Open enrol/self/lib.php in your editor and find the edit_instance_form function For 30: Open enrol/self/edit_form.php in your editor and find the definition Find where the password form is defined and add the following line after it: $mform->freeze('password'); View the form in your browser again Confirm that the passwordunmask is missing the edit icon and that you can only toggle the value Modify the form definition again and change the freeze to a hardFreeze: $mform->hardFreeze('password'); View the form in your browser again Confirm that the passwordunmask is missing the edit icon and that you can only toggle the value View the page source Confirm that the "name" attribute is missing from the hidden input element associated with the form Set the value to something different Find the validation function for the form (same file, called edit_instance_validation in master/31 and validation on 30). Edit it to add: var_dump($_POST); var_dump($data); die; Submit the form Confirm that the 'password' was not included in the $_POST output but was included in the $data
    • Affected Branches:
      MOODLE_29_STABLE, MOODLE_30_STABLE, MOODLE_31_STABLE
    • Fixed Branches:
      MOODLE_32_STABLE
    • Pull Master Branch:
      MDL-53048-master

      Description

      Related to a bug I found in the External Tool (MDL-53046).

      Scenario: I have LastPass installed and active. I go to Moodle and create an External Tool for my course, I enter in a URL and it auto-detcts that it matches a site level configured tool. Great! I then go and add the tool.

      When I click on the tool I get an error saying that my LTI credentials are misconfigured. I check my External Tools settings and find out that LassPass entered in my Moodle account password for the LTI secret. I didn't realize this, because the key/secret is hidden under a "Show more". So, now the security concern is that my Moodle password is now saved in plaintext and I wouldn't know that unless I knew to debug the issue and click on "Show more" and remove it.

      What I expect is to have Moodle forms to not have field elements that can confuse password managers like LastPass. I would recommend, in this case, for the External Tool password field to be renamed to from a generic password field to ltipassword.

      The same for other Modules or form fields that are just called password.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                17 Vote for this issue
                Watchers:
                26 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Fix Release Date:
                  5/Dec/16