[web2py] Re: Registration passworld field security risk on form failure?

2014-08-27 Thread Mark Li
Under the Net tab in Firebug, the Post contains the submitted variables, and the response tab is the HTML of the returned page. This response contains the password input value in plain text. If I submitted the password as asdf and submitted the registration form with failures, the response

[web2py] Re: Registration passworld field security risk on form failure?

2014-08-27 Thread Willoughby
It got posted to the developer list yesterday, so it would seem at least some of the maintainers think it's an issue worth discussion. On Wednesday, August 27, 2014 1:11:57 PM UTC-4, Mark Li wrote: Under the Net tab in Firebug, the Post contains the submitted variables, and the response tab

Re: [web2py] Re: Registration passworld field security risk on form failure?

2014-08-27 Thread Mark Li
This problem was patched here today: https://github.com/web2py/web2py/commit/5364193759f266e0c07128de2a7b6b54a82ef736 On Wed, Aug 27, 2014 at 10:40 AM, Willoughby neil.erik...@gmail.com wrote: It got posted to the developer list yesterday, so it would seem at least some of the maintainers

Re: [web2py] Re: Registration passworld field security risk on form failure?

2014-08-27 Thread Anthony
Thanks for pointing this out. Anthony On Wednesday, August 27, 2014 5:54:15 PM UTC-4, Mark Li wrote: This problem was patched here today: https://github.com/web2py/web2py/commit/5364193759f266e0c07128de2a7b6b54a82ef736 On Wed, Aug 27, 2014 at 10:40 AM, Willoughby neil.erik...@gmail.com

[web2py] Re: Registration passworld field security risk on form failure?

2014-08-26 Thread Mark Li
Looking at the password input through Firebug/developer tools, and the value of the password input is the plaintext of the password I entered. I have a test site here: http://tedlee.pythonanywhere.com/welcome/default/user/register Typing in a password and failing registration will return that

[web2py] Re: Registration passworld field security risk on form failure?

2014-08-26 Thread Willoughby
Using the same Firebug, look at the Net tab - look at your post and the response. On Tuesday, August 26, 2014 1:32:14 PM UTC-4, Mark Li wrote: Looking at the password input through Firebug/developer tools, and the value of the password input is the plaintext of the password I entered. I

[web2py] Re: Registration passworld field security risk on form failure?

2014-08-25 Thread Derek
Have you actually looked at it? I believe it just returns asterisks. On Monday, August 25, 2014 3:02:49 PM UTC-7, Mark Li wrote: I am currently looking into whether or not password fields should be cleared on registration error after the form fails server-side validation. At the moment,