Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#32045] - [4] Security. Uncouple the length of a placeholder mask from the actual password length.

? ? Pending

User tests: Successful: Unsuccessful:

avatar PhilETaylor
PhilETaylor
15 Jan 2021

Summary of Changes

Currently in Joomla 4, the Password field (used for fields like the Joomla Global Configuration Database Password) uses a mask and doesn't show the actual password. (Because $lock is set)

The placeholder is a set of bullets (used to be asterisks)

The placeholder and mask is currently the same length as the REAL PASSWORD therefore giving away too much information about the real value of the password.

This PR changes this behaviour to set a standard (plucked out of the air) 10 bullets mask/placeholder so that the real length of the underlying password is not leaked to the viewer.

Testing Instructions

Check Joomla Global Configuration -> Database password - Note the number of bullets equals the number of chars in your REAL database password
Apply PR
Check Joomla Global Configuration -> Database password - Note the number of bullets equals 10.

Actual result BEFORE applying this Pull Request

The length of the real password was leaked to the user interface when the password field locked specifically to hide such password.

Expected result AFTER applying this Pull Request

10 bullet length placeholder/hint regardless of the length of the underlying password.

Documentation Changes Required

None.

avatar PhilETaylor PhilETaylor - open - 15 Jan 2021
avatar PhilETaylor PhilETaylor - change - 15 Jan 2021
Status New Pending
avatar joomla-cms-bot joomla-cms-bot - change - 15 Jan 2021
Category Layout
avatar HLeithner
HLeithner - comment - 15 Jan 2021

this a hint of the password length actually it's intended to give the user a feeling if the password is right but yeah can be removed.

avatar PhilETaylor
PhilETaylor - comment - 15 Jan 2021

I appreciate that, but that is probably not the right thing to do, to show the length, as it reveals information about the password.

Ok in the context of Joomla Global Configuration then its not harmful, but remember this code can be reused elsewhere... and you cannot always be sure that 3PD would never use it incorrectly.

avatar toivo
toivo - comment - 15 Jan 2021

I have tested this item successfully on 1321f41

Tested successfully in Beta7-dev of 15 January.

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/32045.

avatar toivo toivo - test_item - 15 Jan 2021 - Tested successfully
avatar gostn gostn - test_item - 16 Jan 2021 - Tested successfully
avatar gostn
gostn - comment - 16 Jan 2021

I have tested this item successfully on 1321f41

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/32045.

avatar Quy Quy - change - 21 Jan 2021
Status Pending Ready to Commit
avatar Quy
Quy - comment - 21 Jan 2021

RTC

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/32045.

avatar HLeithner HLeithner - close - 22 Jan 2021
avatar HLeithner HLeithner - merge - 22 Jan 2021
avatar HLeithner HLeithner - change - 22 Jan 2021
Status Ready to Commit Fixed in Code Base
Closed_Date 0000-00-00 00:00:00 2021-01-22 22:39:49
Closed_By HLeithner
Labels Added: ? ?
avatar HLeithner
HLeithner - comment - 22 Jan 2021

thanks

Add a Comment

Login with GitHub to post a comment