Hi. First off, I have not been able to recreate this error since i have no idea how it occurred in the first place, sorry about that. We noticed that there was a file in the tmp/ folder of grav where the full user info, including password in plain text. The file in question had the path tmp/forms/1t7s6fp7acrft0u19ipcv55ij9/53b4e6cd0157f1bda2634add9c67d7de/index.yaml
Content of the file with sensitive information removed:
The file stayed for months in the folder until we deleted it manually. Since tmp/ is not blocked by the supplied web server configs the file has in principle been accessible through the web server, though not in practice since the seemingly random folder names in the path.
It makes me a bit uneasy knowing that unhashed passwords are allowed to touch disk, but maybe it's hard to get around since it looks like it is the forms plugin that has generated the file.
Hi. First off, I have not been able to recreate this error since i have no idea how it occurred in the first place, sorry about that. We noticed that there was a file in the tmp/ folder of grav where the full user info, including password in plain text. The file in question had the path
tmp/forms/1t7s6fp7acrft0u19ipcv55ij9/53b4e6cd0157f1bda2634add9c67d7de/index.yaml
Content of the file with sensitive information removed:
The file stayed for months in the folder until we deleted it manually. Since tmp/ is not blocked by the supplied web server configs the file has in principle been accessible through the web server, though not in practice since the seemingly random folder names in the path.
It makes me a bit uneasy knowing that unhashed passwords are allowed to touch disk, but maybe it's hard to get around since it looks like it is the forms plugin that has generated the file.