[TYPO3-core] RFC #14307: fe_user passwords are visible in the info popup window in the backend

[Lars Houmark]

Hi,

This is a SVN patch request.

Type: Bugfix

BT reference: http://bugs.typo3.org/view.php?id=14307

Branches: trunk, 4.3 (4.2?)

Problem: The FE user passwords are still shown in the info popup window 
in the list module (and page module).

Solution: Attached patch will hide the password by changing it to a 
random number (between 5-12 chars) of asterisk (*).

This will happen in t3lib_befunc->getProcessedValue and the check is 
done generic, so that any field that has eval to password will have that 
replaced, thus this will work for user tables as well.

How to test:

- Create a Website user record
- Click on the page module, then the page the user was created on
- Click the user icon and click info
- The popup shows the value of the password field
- Apply the patch
- The password is now changed to a random number of asterisk, reloading 
the popup window will show different length of asterisk

Notes: I went through all core calls to the 
t3lib_befunc->getProcessedValue function and all of them is for display 
only, meaning change of the password to asterisk values cannot have any 
side effects.

The patch is made for current trunk, but will apply to the 4.3 branch 
with a minor offset.

Thanks to Christopher ?? for noticing it.

--
Lars Houmark

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 14307.diff
URL: <http://lists.typo3.org/pipermail/typo3-team-core/attachments/20100504/5d1c14ae/attachment.asc>