Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#37970] - Attempt to prevent information disclosure

? Pending

User tests: Successful: Unsuccessful:

avatar alexandreelise
alexandreelise
3 Jun 2022

For example if someone is looking over your shoulder while you have backup oteps shown. This little modification tries to mitigate this possibility.
One side note. The details text should be a language string.

Pull Request for Issue #37969.

Summary of Changes

add details/summary html5 tags

Testing Instructions

Enable 2FA in administrator for a user in Registered group
Login in frontend with this Registered user
Go to edit profile
Scroll down to see Oteps backup codes

Actual result BEFORE applying this Pull Request

Oteps backup codes show immediately and might disclose information

Expected result AFTER applying this Pull Request

Oteps Backup codes don't show immediately. Rather, they show only if we click on Details

Documentation Changes Required

Possibly.

avatar alexandreelise alexandreelise - open - 3 Jun 2022
avatar alexandreelise alexandreelise - change - 3 Jun 2022
Status New Pending
avatar joomla-cms-bot joomla-cms-bot - change - 3 Jun 2022
Category Front End com_users
avatar alexandreelise alexandreelise - change - 3 Jun 2022
Labels Added: ?
avatar joomla-cms-bot joomla-cms-bot - change - 3 Jun 2022
Category Front End com_users Front End com_users Language & Strings
avatar alexandreelise alexandreelise - change - 3 Jun 2022
Labels Added: Language Change
avatar richard67
richard67 - comment - 3 Jun 2022

@alexandreelise Thanks for this PR. Unfortunately I am not sure if it will make sense in 4.1 because there will be only one more 4.1.x release before 4.2.0 will come, and in 4.2. the 2FA will be completely reworked and renamed to MFA (multi-factor authentication). See PR #37912 for the ongoing work.

I haven't checked yet if that PR will bring back the thing which you want to solve with this PR here. But that might be the case, and your changes would be lost.

@brianteeman As you have checked Nik's PR already: Do you know if it already works like that, show the backup codes only on demand?

avatar brianteeman
brianteeman - comment - 3 Jun 2022

if there is even just one more release then this should be included even if the replacement code in 4.2 will not use it

Of course if you use the global string of JDETAILS then there is no problem at all.

avatar joomla-cms-bot joomla-cms-bot - change - 3 Jun 2022
Category Front End com_users Language & Strings Front End com_users
avatar alexandreelise alexandreelise - change - 3 Jun 2022
Labels Removed: Language Change
avatar brianteeman
brianteeman - comment - 22 Jun 2022

As there will now not be another 4.1 release this can be closed as it is not relevant for 4.2

avatar Quy Quy - change - 22 Jun 2022
Status Pending Closed
Closed_Date 0000-00-00 00:00:00 2022-06-22 14:33:46
Closed_By Quy
avatar Quy Quy - close - 22 Jun 2022

Add a Comment

Login with GitHub to post a comment