Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mail password configuration not secured #1850

Closed
vanmil opened this issue Mar 17, 2016 · 3 comments
Closed

Mail password configuration not secured #1850

vanmil opened this issue Mar 17, 2016 · 3 comments
Labels
Status: Completed Type: Maintenance

Comments

@vanmil
Copy link
Contributor

vanmil commented Mar 17, 2016

Hi all,

One thing I noticed today was that the password in Settings --> Mail Configuration --> Password, the password is visible in plain text. I think it (at least) desirable that the password here is presented in stars (*******).

I have made a (edited) screenshot:
Image of problem

I think this is a serious issue as a personal email password can be viewed by all persons who can acces this particular back-end account (like the web-developer).
@daftspunk
Copy link
Member

I can see how this would be an issue if you were using your Gmail account to send mail. Usually this password is for an API / robot account so the password is less sensitive.

Presenting the password with stars would still make it possible to see the underlying password by viewing the source. We would have to empty the field instead, this can sometimes make it look like it hasn't been populated.

@LukeTowers
Copy link
Contributor

Closing in favour of #1061

bennothommo added a commit that referenced this issue Jul 8, 2020
@tomaszstrojny
Add sensitive field input
8da4ee4 
A field widget that allows for entering of sensitive information that can be revealed at the user's request - ie. API keys, secrets.

When a sensitive field that has been previously populated is loaded again, a placeholder is used instead of the real value, until the user opts to reveal the value. The real value is loaded via AJAX.

Credit to @tomaszstrojny for the original implementation.

Replaces #5062. Fixes #5061, #1850, perhaps #1061.

Co-authored-by: Tomasz Strojny <tomasz@init.biz>
bennothommo added a commit that referenced this issue Jul 8, 2020
@tomaszstrojny
Add sensitive field input (#5201)
4950edc 
A field widget that allows for entering of sensitive information that can be revealed at the user's request - ie. API keys, secrets.

When a sensitive field that has been previously populated is loaded again, a placeholder is used instead of the real value, until the user opts to reveal the value. The real value is loaded via AJAX.

Credit to @tomaszstrojny for the original implementation.

Replaces #5062. Fixes #5061, #1850, perhaps #1061.

Co-authored-by: Tomasz Strojny <tomasz@init.biz>
Co-authored-by: Luke Towers <github@luketowers.ca>
@bennothommo
Copy link
Contributor

Fixed by #5201.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Status: Completed Type: Maintenance
Milestone
No milestone
Development

No branches or pull requests
4 participants
@daftspunk @LukeTowers @vanmil @bennothommo