Skip to:

Opened 7 years ago

Closed 7 years ago

Last modified 5 years ago

#3153 closed enhancement (fixed)

Insecure content warning in converter password field

Reported by: johnjamesjacoby's profile johnjamesjacoby Owned by:
Milestone: 2.6 Priority: high
Severity: normal Version: 2.1
Component: API - Importers Keywords:


With the onset of HTTPS everywhere, today's web browsers are beginning to alert users about possible insecure content being transmitted across the web.

One place this is prevalent in bbPress is the database password field in the importer. In Chrome on a non-HTTPS domain, a warning will appear in the console with a link off to a Google page explaining the notice.

Future versions of web browsers have promised to continue to make these alerts more and more user intrusive, until the web is HTTPS and using SSL by default.

Attachments (1)

Screen Shot 2017-08-22 at 10.31.25 AM.png (40.0 KB) - added by johnjamesjacoby 7 years ago.

Download all attachments as: .zip

Change History (5)

#1 @johnjamesjacoby
7 years ago

The easy solution is to switch the database password field away from a type of password and just use text. Browsers see password fields as globally insecure on non-HTTPS pages, which triggers the above warning.

The problem as I see it, is that the value of this field is saved to the database. This was originally so that subsequent queries from the batch processor aren't reliant on cookies, and so lengthy imports could be handed off to other admins without needing to re-enter those credentials.

I really don't consider the saving of the database password to the database a security problem by itself, but revealing the database password anywhere in the UI could be. The bbPress screens are protected by roles & capability checks, so it's not really a concern IMO, but it's worth documenting this bit for future discussion.

#2 @johnjamesjacoby
7 years ago

In 6677:

Converter: Add toggle to show/hide the database password contents.

This change provides a relatively sane middle-ground for insecure content warnings in the converter, by providing a button to toggle the password field back and forth to a text field. Ideally, in the future, there will be a legitimate way to do this.

Trunk, for 2.6. See #3153.

#3 @johnjamesjacoby
7 years ago

  • Resolution set to fixed
  • Status changed from new to closed

Let's call this fixed for 2.6, and revisit sometime in the future as browser security progresses.

#4 @johnjamesjacoby
5 years ago

Assigning all closed & unassigned tickets in the 2.6 milestone to myself.

Note: See TracTickets for help on using tickets.