Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-78961

smtppass setting should not be included in admin site presets

XMLWordPrintable

    • MOODLE_400_STABLE, MOODLE_401_STABLE, MOODLE_402_STABLE
    • MOODLE_401_STABLE, MOODLE_402_STABLE
    • MDL-78961-401
    • Hide

      Prior to patch

      1. Install Moodle using previous weekly build

      Testing patch

      1. Checkout fixed branch
      2. Run upgrade script
      3. Navigate to Security > Site security settings in site administration
      4. Confirm that the Settings with passwords field contains "smtppass@@none"
      5. Confirm that the Settings with passwords default contains "smtppass@@none"
      6. Navigate to Site admin presets in site administration
      7. Press Create preset
        • Choose a name
        • Ensure Include settings with passwords is unchecked
      8. Press Create preset
      9. Press Actions > Download for your new preset
      10. Open XML file
      11. Confirm there is no <SMTPPASS> setting
      Show
      Prior to patch Install Moodle using previous weekly build Testing patch Checkout fixed branch Run upgrade script Navigate to Security > Site security settings in site administration Confirm that the Settings with passwords field contains "smtppass@@none" Confirm that the Settings with passwords default contains "smtppass@@none" Navigate to Site admin presets in site administration Press Create preset Choose a name Ensure Include settings with passwords is unchecked Press Create preset Press Actions > Download for your new preset Open XML file Confirm there is no <SMTPPASS> setting

      It seems like, due to a typo in the default adminpresets sensiblesettings, SMTP passwords are included in admin site presets by default despite the opposite intention. I see in my 4.0.5 site's sensiblesettings the string "smtp@none" (note the single "@"). This string also appears in lib/db/upgrade.php and admin/settings/security.php on master: https://github.com/search?q=repo%3Amoodle%2Fmoodle%20SMTPPASS%40non&type=code

      Obviously, the intention was to omit this password field, but since only one "@" symbol was included the string is ignored. This seems like a fairly major issue given that users who scan through the sensiblesettings might consider smtppass to be omitted if they don't read carefully. I only noticed because I read through the full export XML.

            pholden Paul Holden
            ephetteplace Eric Phetteplace
            Andrew Lyons Andrew Lyons
            Huong Nguyen Huong Nguyen
            Kim Jared Lucas Kim Jared Lucas
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 hour, 17 minutes
                1h 17m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.