Flyspray - The bug killer!

  • Status Unconfirmed
  • Percent Complete
    50%
  • Task Type Bug Report
  • Category Installer and Upgrader
  • Assigned To No-one
  • Operating System All
  • Severity Medium
  • Priority Very Low
  • Reported Version 0.9.9.7
  • Due in Version Undecided
  • Due Date Undecided
  • Votes
  • Private
Attached to Project: Flyspray - The bug killer!
Opened by Robert Lerner - 02.04.2015
Last edited by peterdd - 12.05.2015

FS#1988 - Password Field for Admin

The installer requests a password for the admin account, and provides a default one.

Because this field is not type=”password”, the browser caches this data for any field named “admin_password”

This also applies to future installations of the software.

I have marked this as critical as this can pose a security hazard. A different implementation would be allowing entry of password, or in the case of wanting to provide a default one, have two password fields prepopulated, and a text one prepopulated so that it can be viewed by the end user.

Robert Lerner commented on 02.04.2015 04:10

My bad for not seeing the security procedure linked on the page.

Project Manager
peterdd commented on 29.04.2015 00:20

Made a pull request on github, please take a look if that solves your consideration.

Made it a password input field that can be switched by js to view the password. Does this helps in your case?

Which browser and under which concrete circumstances (crossdomain?) it is a problem?

Project Manager
peterdd commented on 12.05.2015 16:44

In Firefox 38.0 Update history (2015-05-12):

Changed autocomplete=off is no longer supported for username/password fields

https://bugzilla.mozilla.org/show_bug.cgi?id=1025703

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing