Insecure Storage of credentials

Description

When a user can access the administrative area of the site, it is possible to view the database connection information on an existing store. When viewing the data source, as seen below, the password is replaced with a line of asterisks. However, when a user views the source of the page, the information is shown in clear text

</li>
</ul><ul>
<li title="password used to login">
<label><span>passwd</span></label>
<div>

<input class="text" type="password" value="SuperSecretPassword" name="parametersPanelarameters:6arameterPanel:border:border_bodyaramValue"/>

</div>
</li>

Environment

None

Activity

Show:
Andrea Aime
March 16, 2019, 11:44 AM

Just merged a pull request on master to fix this. Could not find anyone to review it prior to merge though.
Could you test a nightly build? Any build with a date of March 16th or later (yet to be produced at the time of writing) should contain the fix:
https://build.geoserver.org/geoserver/master/

Andrea Aime
March 29, 2019, 10:38 AM

Will leave on master only then

Assignee

Andrea Aime

Reporter

Stephan

Triage

Fix versions

Affects versions

Components

Priority

Medium
Configure