Univention Bugzilla – Bug 45574
Pop up dialog which expose given password
Last modified: 2017-11-15 16:46:57 CET
Created attachment 9256 [details] Screenshot of pop up dialog The customer reported that under some circumstances a pop up dialog shows up from time to time which show (expose) the already given password. Screenshot attached.
Which browser and browser version is this? What does "already given" password mean? The password is not stored anywhere in plain text in the backend. So the password which is then shown was entered after opening the user object, right!?
The problem is in _notifyAboutAutomaticChanges() in ucs-4.2-2/management/univention-management-console-module-udm/umc/js/udm/DetailPage.js where "changes" will be shown with: dialog.alert(_('The following empty properties were set to default values in the form. These values will be applied when saving.') + changes) "changes" must be cleaned of clear text passwords.
(In reply to Daniel Tröder from comment #2) > The problem is in _notifyAboutAutomaticChanges() in > ucs-4.2-2/management/univention-management-console-module-udm/umc/js/udm/ > DetailPage.js where "changes" will be shown with: > > dialog.alert(_('The following empty properties were set to default values in > the form. These values will be applied when saving.') + changes) My guess is that the password field was stored in the browser once. Now the browser touches the form and enters that stored value. The logic in _notifyAboutAutomaticChanges() then detects a change/difference and shows the message. > "changes" must be cleaned of clear text passwords. No.
(In reply to Florian Best from comment #1) > Which browser and browser version is this? > What does "already given" password mean? The password is not stored anywhere > in plain text in the backend. So the password which is then shown was > entered after opening the user object, right!? IE 11 Version 11.674.15063.0 User was already created and opened to edit. "Das Benutzerkonto war schon vorhanden. Ich habe das Passwort gesetzt. Dann wollte ich testen, ob die Einstellung, dass das gleiche Passwort nicht mehrmals vergeben werden kann, noch tut. Dann kam die besagte Meldung als ich eigentlich auf „Passwort (Wiederholung)“ springen wollte."
I talked today with the customer and we reproduced the issue with firefox 56. Furthermore I checked that no cached credentials are set before. The message pops up from time to time. Some time very early if you just wrote one or two letters (see second screenshot). The problem for the customer here is that the current workflow to reset passwords for users following is: 1. The student forgot his/her password. 2. He/she went physically to the helpdesk. 3. The helpdesk person checks the passport and the "schülerausweis". 3. The helpdesk person (Domain Admin) opens the User in the user module. 4. The student set a new password for him/her self and the dialog potentially pops up. At least the helpdesk and maybe further persons can see the password.
Created attachment 9262 [details] Second screenshot
Okay, this sound like Bug #33148. The password is entered while the user is not yet fully loaded. Is the environment large? or the internet connection slow?
(In reply to Florian Best from comment #7) > Okay, this sound like Bug #33148. The password is entered while the user is > not yet fully loaded. Is the environment large? or the internet connection > slow? Yes, the environment ist large. The internet connection was very accurate.
Created attachment 9267 [details] patch This patch adds a standby animation as long as not all form values are loaded.
*** Bug 33148 has been marked as a duplicate of this bug. ***
A transparent standby animation has been added which prevents that the form can be edited while not all values are loaded. univention-management-console-module-udm.yaml d81f7c212428 | Bug #45574: Merge branch 'fbest/33148-standby-animation-during-object-loading' into 4.2-2 61a488865931 | YAML Bug #45574 univention-management-console-module-udm (7.0.10-24) d81f7c212428 | Bug #45574: Merge branch 'fbest/33148-standby-animation-during-object-loading' into 4.2-2 c8c57558100d | Bug #45574: enable standby animation during loading of objects
OK Stanbyanimation is shown while a object is loading OK Form values can not be edited while object is loading YAML: OK -> verified
<http://errata.software-univention.de/ucs/4.2/220.html>