- Status Unconfirmed
- Percent Complete
- Task Type Bug Report
- Category Installer and Upgrader
- Assigned To No-one
- Operating System All
- Severity Medium
- Priority Very Low
- Reported Version 0.9.9.7
- Due in Version Undecided
-
Due Date
Undecided
- Votes
- Private
Attached to Project: Flyspray - The bug killer!
Opened by Robert Lerner - 02.04.2015
Last edited by peterdd - 12.05.2015
Opened by Robert Lerner - 02.04.2015
Last edited by peterdd - 12.05.2015
FS#1988 - Password Field for Admin
The installer requests a password for the admin account, and provides a default one.
Because this field is not type=”password”, the browser caches this data for any field named “admin_password”
This also applies to future installations of the software.
I have marked this as critical as this can pose a security hazard. A different implementation would be allowing entry of password, or in the case of wanting to provide a default one, have two password fields prepopulated, and a text one prepopulated so that it can be viewed by the end user.
My bad for not seeing the security procedure linked on the page.
Made a pull request on github, please take a look if that solves your consideration.
Made it a password input field that can be switched by js to view the password. Does this helps in your case?
Which browser and under which concrete circumstances (crossdomain?) it is a problem?
In Firefox 38.0 Update history (2015-05-12):
Changed autocomplete=off is no longer supported for username/password fields
https://bugzilla.mozilla.org/show_bug.cgi?id=1025703