Thanks for pointing this out. Anthony
On Wednesday, August 27, 2014 5:54:15 PM UTC-4, Mark Li wrote: > > This problem was patched here today: > https://github.com/web2py/web2py/commit/5364193759f266e0c07128de2a7b6b54a82ef736 > > > On Wed, Aug 27, 2014 at 10:40 AM, Willoughby <neil.erik...@gmail.com> > wrote: > >> It got posted to the developer list yesterday, so it would seem at least >> some of the maintainers think it's an issue worth discussion. >> >> >> On Wednesday, August 27, 2014 1:11:57 PM UTC-4, Mark Li wrote: >>> >>> Under the Net tab in Firebug, the Post contains the submitted variables, >>> and the response tab is the HTML of the returned page. This response >>> contains the password input value in plain text. >>> >>> If I submitted the password as "asdf" and submitted the registration >>> form with failures, the response will contain this (as shown in the net >>> tab): >>> <input class="password" id="auth_user_password" name="password" type= >>> "password" value="asdf" /> >>> >>> Does no one else experience this behavior? >>> >>> On Tuesday, August 26, 2014 11:08:14 AM UTC-7, Willoughby wrote: >>>> >>>> Using the same Firebug, look at the Net tab - look at your post and the >>>> response. >>>> >>>> >>>> On Tuesday, August 26, 2014 1:32:14 PM UTC-4, Mark Li wrote: >>>>> >>>>> Looking at the password input through Firebug/developer tools, and the >>>>> value of the password input is the plaintext of the password I entered. >>>>> >>>>> I have a test site here: http://tedlee.pythonanywhere. >>>>> com/welcome/default/user/register >>>>> >>>>> Typing in a password and failing registration will return that >>>>> password. Is this just the behavior of a modern browser (to remember >>>>> failed >>>>> inputs), or is it web2py form handling? >>>>> >>>>> In the case that web2py did only return asterisks, wouldn't that be >>>>> very misleading to the user? Because the password input is masked, they >>>>> would assume that the returned password value (after registration >>>>> failure) >>>>> was what they previously had typed, not a password replaced with >>>>> asterisks. >>>>> Thus on re-submitting the form, they would not think to alter the >>>>> password >>>>> and would just submit a password with asterisks. >>>>> >>>>> On Monday, August 25, 2014 3:25:44 PM UTC-7, Derek wrote: >>>>>> >>>>>> Have you actually looked at it? I believe it just returns asterisks. >>>>>> >>>>>> On Monday, August 25, 2014 3:02:49 PM UTC-7, Mark Li wrote: >>>>>>> >>>>>>> I am currently looking into whether or not password fields should be >>>>>>> cleared on registration error after the form fails server-side >>>>>>> validation. >>>>>>> At the moment, web2py shows the password after a registration error, >>>>>>> instead of leaving it blank. While this may make editing the password >>>>>>> easier (in case there are pw errors), it seems to pose a security risk >>>>>>> because you are sending the password back to the client in plain text. >>>>>>> To >>>>>>> my understanding, this would allow the page to be cached with the >>>>>>> password's value in plain text. >>>>>>> >>>>>>> I tested this on a variety of browsers and systems, so to the best >>>>>>> of my knowledge this is behavior is not unique to a browser. >>>>>>> >>>>>>> Does this pose a reasonable security risk? >>>>>>> >>>>>>> Some reference links: >>>>>>> http://ux.stackexchange.com/questions/39999/why-do-most- >>>>>>> create-account-forms-clear-the-password-fields-upon-wrong-validation >>>>>>> http://ux.stackexchange.com/questions/20418/when-form- >>>>>>> submission-fails-password-field-gets-blanked-why-is-that-the-case >>>>>>> >>>>>> -- >> Resources: >> - http://web2py.com >> - http://web2py.com/book (Documentation) >> - http://github.com/web2py/web2py (Source code) >> - https://code.google.com/p/web2py/issues/list (Report Issues) >> --- >> You received this message because you are subscribed to a topic in the >> Google Groups "web2py-users" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/web2py/5zmTyjSlr5E/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> web2py+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. >> > > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
