It got posted to the developer list yesterday, so it would seem at least some of the maintainers think it's an issue worth discussion.
On Wednesday, August 27, 2014 1:11:57 PM UTC-4, Mark Li wrote: > > Under the Net tab in Firebug, the Post contains the submitted variables, > and the response tab is the HTML of the returned page. This response > contains the password input value in plain text. > > If I submitted the password as "asdf" and submitted the registration form > with failures, the response will contain this (as shown in the net tab): > <input class="password" id="auth_user_password" name="password" type= > "password" value="asdf" /> > > Does no one else experience this behavior? > > On Tuesday, August 26, 2014 11:08:14 AM UTC-7, Willoughby wrote: >> >> Using the same Firebug, look at the Net tab - look at your post and the >> response. >> >> >> On Tuesday, August 26, 2014 1:32:14 PM UTC-4, Mark Li wrote: >>> >>> Looking at the password input through Firebug/developer tools, and the >>> value of the password input is the plaintext of the password I entered. >>> >>> I have a test site here: >>> http://tedlee.pythonanywhere.com/welcome/default/user/register >>> >>> Typing in a password and failing registration will return that password. >>> Is this just the behavior of a modern browser (to remember failed inputs), >>> or is it web2py form handling? >>> >>> In the case that web2py did only return asterisks, wouldn't that be very >>> misleading to the user? Because the password input is masked, they would >>> assume that the returned password value (after registration failure) was >>> what they previously had typed, not a password replaced with asterisks. >>> Thus on re-submitting the form, they would not think to alter the password >>> and would just submit a password with asterisks. >>> >>> On Monday, August 25, 2014 3:25:44 PM UTC-7, Derek wrote: >>>> >>>> Have you actually looked at it? I believe it just returns asterisks. >>>> >>>> On Monday, August 25, 2014 3:02:49 PM UTC-7, Mark Li wrote: >>>>> >>>>> I am currently looking into whether or not password fields should be >>>>> cleared on registration error after the form fails server-side >>>>> validation. >>>>> At the moment, web2py shows the password after a registration error, >>>>> instead of leaving it blank. While this may make editing the password >>>>> easier (in case there are pw errors), it seems to pose a security risk >>>>> because you are sending the password back to the client in plain text. To >>>>> my understanding, this would allow the page to be cached with the >>>>> password's value in plain text. >>>>> >>>>> I tested this on a variety of browsers and systems, so to the best of >>>>> my knowledge this is behavior is not unique to a browser. >>>>> >>>>> Does this pose a reasonable security risk? >>>>> >>>>> Some reference links: >>>>> >>>>> http://ux.stackexchange.com/questions/39999/why-do-most-create-account-forms-clear-the-password-fields-upon-wrong-validation >>>>> >>>>> http://ux.stackexchange.com/questions/20418/when-form-submission-fails-password-field-gets-blanked-why-is-that-the-case >>>>> >>>> -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
