Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-59326

Don't use password field for shared secrets

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 3.4, 3.5.5, 3.6.3
    • Fix Version/s: 3.7
    • Component/s: Forms Library
    • Labels:
    • Testing Instructions:
      Hide
      1. Create a new WebDAV repository instance
      2. Confirm the WebDAV server password field is a passwordunmask field type
      3. Create a new MongoDB cache store instance
      4. Confirm the Password field is a passwordunmask field type
      Show
      Create a new WebDAV repository instance Confirm the WebDAV server password field is a passwordunmask field type Create a new MongoDB cache store instance Confirm the Password field is a passwordunmask field type
    • Affected Branches:
      MOODLE_34_STABLE, MOODLE_35_STABLE, MOODLE_36_STABLE
    • Fixed Branches:
      MOODLE_37_STABLE
    • Pull from Repository:
    • Pull Master Branch:
    • Pull Master Diff URL:

      Description

      Following from MDL-57021 there are still 2 cases where we use a password form for shared secrets. This is what the "passwordunmask" field is for, and using this field will prevent password managers from auto-filling these fields with passwords from the users password list and accidentally overwriting the value.

      cache/stores/mongodb/addinstanceform.php

      repository/webdav/lib.php

       

        Attachments

          Issue Links

          has a non-specific relationship to

          Improvement - An enhancement to an existing Moodle feature. MDL-63734 If passwordunmask field is hardcoded in config.php, do not show the value

          • Minor - Minor loss of function where workaround is possible
          • Closed

          Improvement - An enhancement to an existing Moodle feature. MDL-64190 Site admin password fields should use password config element

          • Minor - Minor loss of function where workaround is possible
          • Closed
          has been marked as being related by

          Bug - A problem which impairs or prevents Moodle from functioning correctly. MDL-57021 The new 'password unmask' field should only be used when entering shared secrets

          • Critical - Crashes server, loss of data, severe memory leak
          • Closed

            Activity

              People

              Assignee:
              pholden Paul Holden
              Reporter:
              damyon Damyon Wiese
              Peer reviewer:
              Jake Dallimore
              Integrator:
              David Monllaó
              Tester:
              Anna Carissa Sadia
              Participants:
              Component watchers:
              Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias, Sujith Haridasan
              Votes:
              1 Vote for this issue
              Watchers:
              6 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Fix Release Date:
                20/May/19

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 30 minutes
                  30m