00724: Change type='text' to type='password' in ?action=attr

Summary: Change type='text' to type='password' in ?action=attr
Created: 2006-04-22 13:29
Status: Closed - declined
Category: Feature
From: PhakE**
Priority: 55 XX

Description: I really consider this to be a security risk, password should never been seen in plain text, not even on adminsites. There's allways the risk of someone behind you back.

And it's really a simple fix, just edit the line 1597 in pmwiki.php 2.1.3


<td><input type='text' name='$attr' value='$value' /></td>

To: <td><input type='password' name='$attr' value='$value' /></td>

Because the attribute fields may be used to enter items other than passwords, the entry fields are in cleartext. If it's important to make this a configurable option, I can do that.


These fields allow to enter two or more passwords, auth @groups and page locks @lock and @nopass, all separated by spaces (a space isnot allowed in passwords nor in keywords, nor @ as a first character). If the field is "password", a user can successfully lock himself and to recover the page ne will need an administrator. --Petko August 02, 2007, at 07:34 PM


--Pm November 14, 2007, at 09:55 AM