Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-59326

Don't use password field for shared secrets

    XMLWordPrintable

Details

    • Improvement
    • Status: Closed
    • Minor
    • Resolution: Fixed
    • 3.4, 3.5.5, 3.6.3
    • 3.7
    • Forms Library
    • MOODLE_34_STABLE, MOODLE_35_STABLE, MOODLE_36_STABLE
    • MOODLE_37_STABLE
    • Hide
      1. Create a new WebDAV repository instance
      2. Confirm the WebDAV server password field is a passwordunmask field type
      3. Create a new MongoDB cache store instance
      4. Confirm the Password field is a passwordunmask field type
      Show
      Create a new WebDAV repository instance Confirm the WebDAV server password field is a passwordunmask field type Create a new MongoDB cache store instance Confirm the Password field is a passwordunmask field type

    Description

      Following from MDL-57021 there are still 2 cases where we use a password form for shared secrets. This is what the "passwordunmask" field is for, and using this field will prevent password managers from auto-filling these fields with passwords from the users password list and accidentally overwriting the value.

      cache/stores/mongodb/addinstanceform.php

      repository/webdav/lib.php

       

      Attachments

        Issue Links

          has a non-specific relationship to

          Improvement - An enhancement to an existing Moodle feature. MDL-63734 If passwordunmask field is hardcoded in config.php, do not show the value

          • Minor - Minor loss of function where workaround is possible
          • Closed

          Improvement - An enhancement to an existing Moodle feature. MDL-64190 Site admin password fields should use password config element

          • Minor - Minor loss of function where workaround is possible
          • Closed
          has been marked as being related by

          Bug - A problem which impairs or prevents Moodle from functioning correctly. MDL-57021 The new 'password unmask' field should only be used when entering shared secrets

          • Critical - Crashes server, loss of data, severe memory leak
          • Closed

          Activity

            People

              pholden Paul Holden
              damyon Damyon Wiese
              Jake Dallimore Jake Dallimore
              David Monllaó David Monllaó
              Anna Carissa Sadia Anna Carissa Sadia
              David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo
              Votes:
              1 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                20/May/19

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 30 minutes
                  30m