-
Bug
-
Resolution: Fixed
-
Major
-
4.0.7, 4.0.8, 4.0.9, 4.1.2, 4.1.3, 4.1.4, 4.2, 4.2.1
-
MOODLE_400_STABLE, MOODLE_401_STABLE, MOODLE_402_STABLE
-
MOODLE_401_STABLE, MOODLE_402_STABLE
-
MDL-78961-401 -
It seems like, due to a typo in the default adminpresets sensiblesettings, SMTP passwords are included in admin site presets by default despite the opposite intention. I see in my 4.0.5 site's sensiblesettings the string "smtp@none" (note the single "@"). This string also appears in lib/db/upgrade.php and admin/settings/security.php on master: https://github.com/search?q=repo%3Amoodle%2Fmoodle%20SMTPPASS%40non&type=code
Obviously, the intention was to omit this password field, but since only one "@" symbol was included the string is ignored. This seems like a fairly major issue given that users who scan through the sensiblesettings might consider smtppass to be omitted if they don't read carefully. I only noticed because I read through the full export XML.
- has a non-specific relationship to
-
MDL-74489 Admin presets export tool should treat salt config as sensitive to the site
- Closed