search

owncloud / web

:dragon_face: Next generation frontend for ownCloud Infinite Scale
https://owncloud.dev/clients/web/
GNU Affero General Public License v3.0
443 stars 157 forks source link

[admin-settings] Possible display of users` plaintext password #8470

Closed hurradieweltgehtunter closed 1 year ago

hurradieweltgehtunter commented 1 year ago

Steps to reproduce

  1. Open admin settings, Users panel, edit user
  2. Right click on password input field, open dev tools
  3. Change type of input field from “password” to “text”

Expected behaviour

Plaintext password should not be displayed, instead placeholder or sth else.

Actual behaviour

grafik

It sure is a bug, that [Object object] gets displayed. But also, it suggests, that the plaintext password is meant to be displayed. I can only guess, what the desired behaviour is, but displaying the plaintext password (= sending it to the browser) should be avoided due to security concerns. Only the user should have access to his password.

https://ocis.ocis-wopi.latest.owncloud.works

JammingBen commented 1 year ago

Does it happen when you type a password and then change the form to type="text", or even without typing anything?

The latter would be an issue indeed, but the former is normal behaviour as far as I'm aware. I can't reproduce the latter as well as the [object Object] bug 🤔

hurradieweltgehtunter commented 1 year ago

can't reproduce it neither anymore 🤷 Current behaviour is ok for me. Closing this issue.