[jira] [Commented] (CONNECTORS-737) passwords handling in Manifold

Wed, 26 Jun 2013 04:59:50 -0700 

    [ 
https://issues.apache.org/jira/browse/CONNECTORS-737?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13693929#comment-13693929
 ] 

Karl Wright commented on CONNECTORS-737:
----------------------------------------

Hi Maciej,

There's all sorts of havoc an unauthorized user can wreak if an unauthorized 
user has access to the ManifoldCF UI.  Getting access to passwords is just a 
small part of that.  That was my point.

The current recommendation is therefore that access to the ManifoldCF UI be 
restricted to only the people who have access to such passwords.  If that's not 
possible then your proposal isn't going to help much.

I'm not opposed to starting the process of tightening up the UI so that it is 
secure in an open environment, but please do understand that it is just the 
first of many steps.

As for the approach you propose, I would like to think through a canonical 
implementation.  As you point out, it affects nearly every connector, and 
therefore we want to do it right in one connector first, before we apply it 
everywhere.  If we go with a special token indicating "password unchanged", 
then we should make sure that the password includes special Unicode characters 
that are unlikely to come up in real passwords, and we should standardize this 
special string by maybe putting it in the BaseConnector classes as a constant.



                
> passwords handling in Manifold
> ------------------------------
>
>                 Key: CONNECTORS-737
>                 URL: https://issues.apache.org/jira/browse/CONNECTORS-737
>             Project: ManifoldCF
>          Issue Type: Bug
>            Reporter: Maciej Lizewski
>
> Currently you can see stored passwords in HTML body of the page which is 
> quite big security hole. We could rewrite it so that the field is presented 
> with some predefined constant string, like "###########" (only to show the 
> field with some entered text). Then in process*Post handlers we should check 
> if someone entered anything different here and only in such case overwrite 
> previously stored password. When posted value is equal to "###########" - we 
> leave previous password in configuration intact.
> this applies to almost all connectors...

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to