 |
|
Item14104: Plain text password is sent by email in registration approval request.
Priority: Normal
Current State: Closed
Released In: 2.1.3
Target Release: patch
Current State: Closed
Released In: 2.1.3
Target Release: patch
Applies To: Engine
Component: FoswikiUIRegister
Branches: Release02x01 master Item13897 Item14380 Item14537
Component: FoswikiUIRegister
Branches: Release02x01 master Item13897 Item14380 Item14537
A user requires your approval to complete their registration * Confirm: Pa55word * Email: adrianw@somewhere.com * FirstLastName: Adrian Wadey * Name: Adrian Wadey To approve this registration, visit http://somewhere.net/bin/register?action=approve;code=AdrianWadey.31031031;referee=AdminUser To block this registration, visit http://somewhere.net/bin/register?action=disapprove;code=AdrianWadey.31031031;referee=AdminUser-- AdrianWadey - 01 Jul 2016 It definitely should NOT be exposed this way. But, I can't seem to recreate this issue. I've tried it on a newly installed Foswiki 2.1.2 system, as well as on a git checkout of our development code. The Password field is always obfuscated with ******. I've never seen the Confirm: field sent in any of the emails, regardless of the settings. Could you show the "register" keys from your LocalSite.cfg?
grep -i register lib/LocalSite.cfg
... (omitted noise)
$Foswiki::cfg{Register}{AllowLoginName} = 0;
$Foswiki::cfg{Register}{Approvers} = 'JoeUser';
$Foswiki::cfg{Register}{DisablePasswordConfirmation} = 0;
$Foswiki::cfg{Register}{EmailFilter} = '';
$Foswiki::cfg{Register}{EnableNewUserRegistration} = 1;
$Foswiki::cfg{Register}{ExpireAfter} = 21600;
$Foswiki::cfg{Register}{HidePasswd} = 1;
$Foswiki::cfg{Register}{NeedApproval} = 1;
$Foswiki::cfg{Register}{NeedVerification} = 1;
$Foswiki::cfg{Register}{RegistrationAgentWikiName} = 'RegistrationAgent';
$Foswiki::cfg{Register}{UniqueEmail} = 0;
I've found one possible place in the code where the "Confirm" field might slip through, but even seeing this, I cannot recreate the problem. You could try the following patch to see if it resolves the issue:
diff --git lib/Foswiki/UI/Register.pm lib/Foswiki/UI/Register.pm
index fb11240..4c6e713 100755
--- lib/Foswiki/UI/Register.pm
+++ lib/Foswiki/UI/Register.pm
@@ -2053,7 +2053,7 @@ sub _sendEmail {
foreach my $field ( keys %$data ) {
my $f = uc($field);
unless ( $text =~ s/\%$f\%/$data->{$field}/g ) {
- unless ( $field =~ m/^Password|form|webName/
+ unless ( $field =~ m/^Password|Confirm|form|webName/
|| !defined( $data->{$field} )
|| $data->{$field} !~ /\W/ )
{
-- GeorgeClark - 01 Jul 2016
Checked in the above fix. Without being able to recreate the issue, I can't confirm that this is a good fix. But it should not cause any issues.
-- GeorgeClark - 09 Jul 2016
ItemTemplate edit
| Summary | Plain text password is sent by email in registration approval request. |
| ReportedBy | AdrianWadey |
| Codebase | 2.1.2, 2.1.1, 2.1.0 |
| SVN Range | |
| AppliesTo | Engine |
| Component | FoswikiUIRegister |
| Priority | Normal |
| CurrentState | Closed |
| WaitingFor | |
| Checkins | distro:c2095c7fe2f8 distro:e85804987ba4 |
| TargetRelease | patch |
| ReleasedIn | 2.1.3 |
| CheckinsOnBranches | Release02x01 master Item13897 Item14380 Item14537 |
| trunkCheckins | |
| masterCheckins | distro:c2095c7fe2f8 distro:e85804987ba4 |
| ItemBranchCheckins | distro:c2095c7fe2f8 distro:e85804987ba4 |
| Release02x01Checkins | distro:c2095c7fe2f8 |
| Release02x00Checkins | |
| Release01x01Checkins |
Edit | Attach | Print version | History: r8 < r7 < r6 < r5 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r8 - 31 Jan 2018, GeorgeClark
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. 
Legal Imprint Privacy Policy
Legal Imprint Privacy Policy