Closed Bug 185340 Opened 22 years ago Closed 20 years ago

Password is in clear text

Categories

(Calendar :: General, defect)

Product:
Calendar
Component:
General
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: junk, Assigned: mvl)

References

Details

Attachments

(1 file, 2 obsolete files)

new try to work with firefox
46.84 KB, patch
mostafah
: first-review+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.2.1) Gecko/20021130
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.2.1) Gecko/20021130

Password is in clear text at the preferences/calendar/publish tab of the general
prefs of mozilla. Is it also saved in clear text?...

Reproducible: Always

Steps to Reproduce:
1.
2.
3.
Yes, in file "prefs.js" the following line contains it:
user_pref("calendar.publish.password", "THECLEARTEXTPASSWORD");

Should be somehow possible to use the password-manager for this.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Moreover, the possible password for remote calendar files is stored in plain
text in the file CalendarManager.rdf. 
New contact from mikep@oeone.com to mostafah@oeone.com
Filter on string OttawaMBA to get rid of these messages. 
Sorry for the spam.
Assignee: mikep → mostafah
If the Calendar can't connect to a remote server a warning dialog box appears. 
In this dialog box the password is printed as plain text.

Calendar Version: 
Mozilla Calendar 2003080811-cal
Mozilla/5.0 (Windows; U; Windows NT 5.0; de-AT; rv:1.4) Gecko/20030624

This is a security issue, definitely not a "minor" one.

IMHO Calendar should use the same wallet mechanism for storing passowrds as the
rest of Mozilla.
Blocks: 229314
Severity: minor → major
OS: Windows 2000 → All
Hardware: PC → All
I agree wholeheartedly with the above comments. I think the plain text passwords
in the error message box are VERY bad. I was unaware as to the plain text
password in the RDF file, but this is also VERY serious for me.
Attached patch first shot (obsolete) — — Splinter Review 
This patch looks large, but it is mostly removing UI for password stuff.
The real work is on the notificationCallbacks stuff.
With this patch, there is no more UI to set a username or password. If you
connect to a remote calendar that needs a password, you will get a prompt
asking for one, and you can store it using the password manager.

There is no conversion of older passwords yet. Do we need that? After
conversion, do we want to delete the password attributes from the rdf?
Attachment #149294 - Flags: first-review?(mostafah)
Attached patch updated patch (obsolete) — — Splinter Review 
this time, hopefully don't break firebird.
Also removed text from the locale files.
Attachment #149294 - Attachment is obsolete: true
Attachment #149294 - Flags: first-review?(mostafah)
Comment on attachment 149582 [details] [diff] [review]
updated patch

Ok, this doesn't work in FF either....
The only way i can think of to make this work is to edit contents.rdf of
wallet, but that means new xpi's wont work with older mozillas. (if you call
not having tools->password manager) not working.
Attachment #149582 - Attachment is obsolete: true
Would we be able to force a 'first-startup' flag of cal to modify the
contents.rdf of wallet via install.js, that way it /works/ at least on SM...then
in FF since the new FF builds won't support install.js you can get the rdf's
modified in tree ;-)

(I'm not sure how feasable this would be)
Changing contents.rdf from install.js won't work for me, because i build mozilla
with calendar. So i never run install.js :)
Attached patch new try to work with firefox — — Splinter Review 
A new try to get it working with firefox and friends. Don't use an overlay, but
just add a menuitem. Hide the menuitem based on the presence of wallet
components. Somewhat evil, but it seems to work. thanks to mconnor for the
idea.
Assignee: mostafah → mvl
Status: NEW → ASSIGNED
Attachment #149645 - Flags: first-review?(mostafah)
Attachment #149645 - Flags: first-review?(mostafah) → first-review+
patch checked in.
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
For me it failed with Sunbird : 
*** Failed to load overlay chrome://communicator/content/utilityOverlay.xul 
That isn't due to this checkin. It is bug bug 243091 (aka "we don't care about
others, firefox is all that counts")
*** Bug 266203 has been marked as a duplicate of this bug. ***
*** Bug 295009 has been marked as a duplicate of this bug. ***
The bugspam monkeys have been set free and are feeding on Calendar :: General. Be afraid for your sanity!
QA Contact: gurganbl → general
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: