1633: Repository configuration should not expose passwords

rti****@gmai***** (Google Code) (Is this you? Claim this profile.)
March 21, 2011 
ReviewBoard should not render stored passwords when viewing repository
configuration. This can be achieved by adding render_value=False to the
input field:

/reviewboard/scmtools/forms.py:

    password = forms.CharField(
        label=_("Password"),
        required=False,
-        widget=forms.PasswordInput(attrs={'size': '30'}))
+        widget=forms.PasswordInput(render_value=False, attrs={'size': '30'}))
chipx86
#1 chipx86 
I'm confused. Are you saying today that it's showing the raw password text, or it's
showing "*"s? I'm seeing the "*"s for the password entry (which is the default in
PasswordInput).
  • +NeedInfo
#2 degrand********@gmai***** (Google Code) (Is this you? Claim this profile.) 
I don't know if it's related, but for example, if you display the HTML source of the
e-mail configuration page, you see the e-mail password in clear text...
david
#3 david
  • -NeedInfo
    +New
  • -Type-Defect
    +Type-Enhancement
    +Milestone-Release1.5
#4 rti****@gmai***** (Google Code) (Is this you? Claim this profile.) 
Sorry for the delay. It shows * but if one look at the html source the passwords are
there in clear text (as degrande.samuel already mentioned).
chipx86
#5 chipx86 
The problem with this is that if you want to actually set the password to an empty
string, you won't be able to. That, or we'd require that the password be re-entered
on every change to the repository. Neither of these are acceptable options.

render_value is meant for determining whether the value should be rendered after a
validation error, not for handling initial display. Using it for this purpose
wouldn't be sufficient.
#6 rti****@gmai***** (Google Code) (Is this you? Claim this profile.) 
I agree, the solution is not perfect, though can be used as a workaround. From the
other side, exposing passwords in plain text is not good in some configurations too.
May be the best option would be upstream fix in django password field — it is not a
big deal to implement "never_expose_passwords=true" parameter without limitations you
mentioned. The upstream fix is good as I don't think that it is something really
specific to the ReviewBoard.
david
#7 david 
Looks like there's not a good, easy solution to this that works everywhere. Deferring.
  • -Milestone-Release1.5
    +Milestone-Release1.6
david
#8 david
  • +Component-Admin
david
#9 david 
After thinking about this for a while, I think the solution is "use https"
  • -New
    +WontFix
#10 rti****@gmai***** (Google Code) (Is this you? Claim this profile.) 
"Use https" is not a solution for the original issue (the problem was that passwords were visible when user clicks the "view source" button). However I agree that the setup when several users can edit the configuration but only one knows the password is not very common and probably not right.
So I agree with the "Won't fix" decision.