You are here: Foswiki>Tasks Web>Item14104 (18 Feb 2017, GeorgeClark)Edit Attach

Item14104: Plain text password is sent by email in registration approval request.

pencil
Priority: Normal
Current State: Closed
Released In: 2.1.3
Target Release: patch
Applies To: Engine
Component: FoswikiUIRegister
Branches: Release02x01 master Item13897
Reported By: AdrianWadey
Waiting For:
Last Change By: GeorgeClark
Is it right that a new user's password is sent as plain text in the "Foswiki registration approval required" email?

Example:

  A user requires your approval to complete their registration
  * Confirm: Pa55word
  * Email: adrianw@somewhere.com
  * FirstLastName: Adrian Wadey
  * Name: Adrian Wadey
  To approve this registration, visit http://somewhere.net/bin/register?action=approve;code=AdrianWadey.31031031;referee=AdminUser
  To block this registration, visit http://somewhere.net/bin/register?action=disapprove;code=AdrianWadey.31031031;referee=AdminUser

-- AdrianWadey - 01 Jul 2016

It definitely should NOT be exposed this way.

But, I can't seem to recreate this issue. I've tried it on a newly installed Foswiki 2.1.2 system, as well as on a git checkout of our development code. The Password field is always obfuscated with ******. I've never seen the Confirm: field sent in any of the emails, regardless of the settings.

Could you show the "register" keys from your LocalSite.cfg?
grep -i register lib/LocalSite.cfg
... (omitted noise)
$Foswiki::cfg{Register}{AllowLoginName} = 0;
$Foswiki::cfg{Register}{Approvers} = 'JoeUser';
$Foswiki::cfg{Register}{DisablePasswordConfirmation} = 0;
$Foswiki::cfg{Register}{EmailFilter} = '';
$Foswiki::cfg{Register}{EnableNewUserRegistration} = 1;
$Foswiki::cfg{Register}{ExpireAfter} = 21600;
$Foswiki::cfg{Register}{HidePasswd} = 1;
$Foswiki::cfg{Register}{NeedApproval} = 1;
$Foswiki::cfg{Register}{NeedVerification} = 1;
$Foswiki::cfg{Register}{RegistrationAgentWikiName} = 'RegistrationAgent';
$Foswiki::cfg{Register}{UniqueEmail} = 0;

I've found one possible place in the code where the "Confirm" field might slip through, but even seeing this, I cannot recreate the problem. You could try the following patch to see if it resolves the issue:

diff --git lib/Foswiki/UI/Register.pm lib/Foswiki/UI/Register.pm
index fb11240..4c6e713 100755
--- lib/Foswiki/UI/Register.pm
+++ lib/Foswiki/UI/Register.pm
@@ -2053,7 +2053,7 @@ sub _sendEmail {
     foreach my $field ( keys %$data ) {
         my $f = uc($field);
         unless ( $text =~ s/\%$f\%/$data->{$field}/g ) {
-            unless ( $field =~ m/^Password|form|webName/
+            unless ( $field =~ m/^Password|Confirm|form|webName/
                 || !defined( $data->{$field} )
                 || $data->{$field} !~ /\W/ )
             {

-- GeorgeClark - 01 Jul 2016

Checked in the above fix. Without being able to recreate the issue, I can't confirm that this is a good fix. But it should not cause any issues.

-- GeorgeClark - 09 Jul 2016
 
Topic revision: r6 - 18 Feb 2017, GeorgeClark - This page was cached on 23 Sep 2017 - 17:12.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License