#3153 closed enhancement (fixed)
Insecure content warning in converter password field
Reported by: |
|
Owned by: | |
---|---|---|---|
Milestone: | 2.6 | Priority: | high |
Severity: | normal | Version: | 2.1 |
Component: | API - Importers | Keywords: | |
Cc: |
Description
With the onset of HTTPS everywhere, today's web browsers are beginning to alert users about possible insecure content being transmitted across the web.
One place this is prevalent in bbPress is the database password field in the importer. In Chrome on a non-HTTPS domain, a warning will appear in the console with a link off to a Google page explaining the notice.
Future versions of web browsers have promised to continue to make these alerts more and more user intrusive, until the web is HTTPS and using SSL by default.
Attachments (1)
Change History (5)
Note: See
TracTickets for help on using
tickets.
The easy solution is to switch the database password field away from a type of
password
and just usetext
. Browsers seepassword
fields as globally insecure on non-HTTPS pages, which triggers the above warning.The problem as I see it, is that the value of this field is saved to the database. This was originally so that subsequent queries from the batch processor aren't reliant on cookies, and so lengthy imports could be handed off to other admins without needing to re-enter those credentials.
I really don't consider the saving of the database password to the database a security problem by itself, but revealing the database password anywhere in the UI could be. The bbPress screens are protected by roles & capability checks, so it's not really a concern IMO, but it's worth documenting this bit for future discussion.