Re: Issue 1633 in reviewboard: Repository configuration should not expose passwords
Comment #10 on issue 1633 by rtimush: Repository configuration should not expose passwords http://code.google.com/p/reviewboard/issues/detail?id=1633 "Use https" is not a solution for the original issue (the problem was that passwords were visible when user clicks the "view source" button). However I agree that the setup when several users can edit the configuration but only one knows the password is not very common and probably not right. So I agree with the "Won't fix" decision. -- You received this message because you are subscribed to the Google Groups "reviewboard-issues" group. To post to this group, send email to reviewboard-issues@googlegroups.com. To unsubscribe from this group, send email to reviewboard-issues+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/reviewboard-issues?hl=en.
Re: Issue 1633 in reviewboard: Repository configuration should not expose passwords
Updates: Status: WontFix Comment #9 on issue 1633 by trowb...@gmail.com: Repository configuration should not expose passwords http://code.google.com/p/reviewboard/issues/detail?id=1633 After thinking about this for a while, I think the solution is "use https" -- You received this message because you are subscribed to the Google Groups "reviewboard-issues" group. To post to this group, send email to reviewboard-issues@googlegroups.com. To unsubscribe from this group, send email to reviewboard-issues+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/reviewboard-issues?hl=en.
Re: Issue 1633 in reviewboard: Repository configuration should not expose passwords
Updates: Labels: Component-Admin Comment #8 on issue 1633 by trowbrds: Repository configuration should not expose passwords http://code.google.com/p/reviewboard/issues/detail?id=1633 (No comment was entered for this change.) -- You received this message because you are subscribed to the Google Groups "reviewboard-issues" group. To post to this group, send email to reviewboard-iss...@googlegroups.com. To unsubscribe from this group, send email to reviewboard-issues+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/reviewboard-issues?hl=en.
Re: Issue 1633 in reviewboard: Repository configuration should not expose passwords
Updates: Labels: -Milestone-Release1.5 Milestone-Release1.6 Comment #7 on issue 1633 by trowbrds: Repository configuration should not expose passwords http://code.google.com/p/reviewboard/issues/detail?id=1633 Looks like there's not a good, easy solution to this that works everywhere. Deferring. -- You received this message because you are subscribed to the Google Groups "reviewboard-issues" group. To post to this group, send email to reviewboard-iss...@googlegroups.com. To unsubscribe from this group, send email to reviewboard-issues+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/reviewboard-issues?hl=en.
Re: Issue 1633 in reviewboard: Repository configuration should not expose passwords
Comment #6 on issue 1633 by rtimush: Repository configuration should not expose passwords http://code.google.com/p/reviewboard/issues/detail?id=1633 I agree, the solution is not perfect, though can be used as a workaround. From the other side, exposing passwords in plain text is not good in some configurations too. May be the best option would be upstream fix in django password field — it is not a big deal to implement "never_expose_passwords=true" parameter without limitations you mentioned. The upstream fix is good as I don't think that it is something really specific to the ReviewBoard. -- You received this message because you are subscribed to the Google Groups "reviewboard-issues" group. To post to this group, send email to reviewboard-iss...@googlegroups.com. To unsubscribe from this group, send email to reviewboard-issues+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/reviewboard-issues?hl=en.
Re: Issue 1633 in reviewboard: Repository configuration should not expose passwords
Comment #5 on issue 1633 by chipx86: Repository configuration should not expose passwords http://code.google.com/p/reviewboard/issues/detail?id=1633 The problem with this is that if you want to actually set the password to an empty string, you won't be able to. That, or we'd require that the password be re-entered on every change to the repository. Neither of these are acceptable options. render_value is meant for determining whether the value should be rendered after a validation error, not for handling initial display. Using it for this purpose wouldn't be sufficient. -- You received this message because you are subscribed to the Google Groups "reviewboard-issues" group. To post to this group, send email to reviewboard-iss...@googlegroups.com. To unsubscribe from this group, send email to reviewboard-issues+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/reviewboard-issues?hl=en.
Re: Issue 1633 in reviewboard: Repository configuration should not expose passwords
Comment #4 on issue 1633 by rtimush: Repository configuration should not expose passwords http://code.google.com/p/reviewboard/issues/detail?id=1633 Sorry for the delay. It shows * but if one look at the html source the passwords are there in clear text (as degrande.samuel already mentioned). -- You received this message because you are subscribed to the Google Groups "reviewboard-issues" group. To post to this group, send email to reviewboard-iss...@googlegroups.com. To unsubscribe from this group, send email to reviewboard-issues+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/reviewboard-issues?hl=en.
Re: Issue 1633 in reviewboard: Repository configuration should not expose passwords
Updates: Status: New Labels: -Type-Defect Type-Enhancement Milestone-Release1.5 Comment #3 on issue 1633 by trowbrds: Repository configuration should not expose passwords http://code.google.com/p/reviewboard/issues/detail?id=1633 (No comment was entered for this change.) -- You received this message because you are subscribed to the Google Groups "reviewboard-issues" group. To post to this group, send email to reviewboard-iss...@googlegroups.com. To unsubscribe from this group, send email to reviewboard-issues+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/reviewboard-issues?hl=en.
Re: Issue 1633 in reviewboard: Repository configuration should not expose passwords
Comment #2 on issue 1633 by degrande.samuel: Repository configuration should not expose passwords http://code.google.com/p/reviewboard/issues/detail?id=1633 I don't know if it's related, but for example, if you display the HTML source of the e-mail configuration page, you see the e-mail password in clear text... -- You received this message because you are subscribed to the Google Groups "reviewboard-issues" group. To post to this group, send email to reviewboard-iss...@googlegroups.com. To unsubscribe from this group, send email to reviewboard-issues+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/reviewboard-issues?hl=en.
Re: Issue 1633 in reviewboard: Repository configuration should not expose passwords
Updates: Status: NeedInfo Comment #1 on issue 1633 by chipx86: Repository configuration should not expose passwords http://code.google.com/p/reviewboard/issues/detail?id=1633 I'm confused. Are you saying today that it's showing the raw password text, or it's showing "*"s? I'm seeing the "*"s for the password entry (which is the default in PasswordInput). -- You received this message because you are subscribed to the Google Groups "reviewboard-issues" group. To post to this group, send email to reviewboard-iss...@googlegroups.com. To unsubscribe from this group, send email to reviewboard-issues+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/reviewboard-issues?hl=en.
Issue 1633 in reviewboard: Repository configuration should not expose passwords
Status: New
Owner:
Labels: Type-Defect Priority-Medium
New issue 1633 by rtimush: Repository configuration should not expose
passwords
http://code.google.com/p/reviewboard/issues/detail?id=1633
ReviewBoard should not render stored passwords when viewing repository
configuration. This can be achieved by adding render_value=False to the
input field:
/reviewboard/scmtools/forms.py:
password = forms.CharField(
label=_("Password"),
required=False,
-widget=forms.PasswordInput(attrs={'size': '30'}))
+widget=forms.PasswordInput(render_value=False,
attrs={'size': '30'}))
--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings
--
You received this message because you are subscribed to the Google Groups
"reviewboard-issues" group.
To post to this group, send email to reviewboard-iss...@googlegroups.com.
To unsubscribe from this group, send email to
reviewboard-issues+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/reviewboard-issues?hl=en.
