[TYPO3-core] RFC #14307: fe_user passwords are visible in the info popup window in the backend
Lars Houmark
lars at houmark.com
Wed May 5 13:25:12 CEST 2010
Hi Jörg,
Jörg Klein wrote:
> Sure, it is more secure than now, but not showing this field at all would at
> least be same secure, wouldn't it?
>
> That would also be in line with the solutions in the page module (issue
> 9798) and in the install tool (issue 10993), where we also don't show
> asterisks.
>
> I don't see, for what reason you want to display random information, which
> is not useable for anything...
> Hide password fields and everything is fine.
Actually hiding it in this particularly case is more difficult, since
the function where the check is done now is not doing any output, and if
the check is done in the output part of the popup, it is no longer
generic and can not work this easy for user tables - meaning the code
would be more limiting.
Also, if another label somewhere outputs it because of someone did bad
implementation it will again be shown.
My patch will hide any password eval field even if it is a label or
similar, so this way we will not get a new case of passwords that is in
clear-text.
Besides, asterisk is used several other places, like in different fields
in the backend (try editing a FE user).
--
Lars Houmark
More information about the TYPO3-team-core
mailing list