Closed
Bug 185340
Opened 22 years ago
Closed 20 years ago
Password is in clear text
Categories
(Calendar :: General, defect)
Calendar
General
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: junk, Assigned: mvl)
References
Details
Attachments
(1 file, 2 obsolete files)
46.84 KB,
patch
|
mostafah
:
first-review+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.2.1) Gecko/20021130 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.2.1) Gecko/20021130 Password is in clear text at the preferences/calendar/publish tab of the general prefs of mozilla. Is it also saved in clear text?... Reproducible: Always Steps to Reproduce: 1. 2. 3.
Comment 1•22 years ago
|
||
Yes, in file "prefs.js" the following line contains it: user_pref("calendar.publish.password", "THECLEARTEXTPASSWORD"); Should be somehow possible to use the password-manager for this.
Updated•22 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Moreover, the possible password for remote calendar files is stored in plain text in the file CalendarManager.rdf.
Comment 3•21 years ago
|
||
New contact from mikep@oeone.com to mostafah@oeone.com Filter on string OttawaMBA to get rid of these messages. Sorry for the spam.
Assignee: mikep → mostafah
Comment 4•21 years ago
|
||
If the Calendar can't connect to a remote server a warning dialog box appears. In this dialog box the password is printed as plain text. Calendar Version: Mozilla Calendar 2003080811-cal Mozilla/5.0 (Windows; U; Windows NT 5.0; de-AT; rv:1.4) Gecko/20030624
Comment 5•20 years ago
|
||
This is a security issue, definitely not a "minor" one. IMHO Calendar should use the same wallet mechanism for storing passowrds as the rest of Mozilla.
Comment 6•20 years ago
|
||
I agree wholeheartedly with the above comments. I think the plain text passwords in the error message box are VERY bad. I was unaware as to the plain text password in the RDF file, but this is also VERY serious for me.
Assignee | ||
Comment 7•20 years ago
|
||
This patch looks large, but it is mostly removing UI for password stuff. The real work is on the notificationCallbacks stuff. With this patch, there is no more UI to set a username or password. If you connect to a remote calendar that needs a password, you will get a prompt asking for one, and you can store it using the password manager. There is no conversion of older passwords yet. Do we need that? After conversion, do we want to delete the password attributes from the rdf?
Assignee | ||
Updated•20 years ago
|
Attachment #149294 -
Flags: first-review?(mostafah)
Assignee | ||
Comment 8•20 years ago
|
||
this time, hopefully don't break firebird. Also removed text from the locale files.
Assignee | ||
Updated•20 years ago
|
Attachment #149294 -
Attachment is obsolete: true
Assignee | ||
Updated•20 years ago
|
Attachment #149294 -
Flags: first-review?(mostafah)
Assignee | ||
Comment 9•20 years ago
|
||
Comment on attachment 149582 [details] [diff] [review] updated patch Ok, this doesn't work in FF either.... The only way i can think of to make this work is to edit contents.rdf of wallet, but that means new xpi's wont work with older mozillas. (if you call not having tools->password manager) not working.
Attachment #149582 -
Attachment is obsolete: true
Comment 10•20 years ago
|
||
Would we be able to force a 'first-startup' flag of cal to modify the contents.rdf of wallet via install.js, that way it /works/ at least on SM...then in FF since the new FF builds won't support install.js you can get the rdf's modified in tree ;-) (I'm not sure how feasable this would be)
Assignee | ||
Comment 11•20 years ago
|
||
Changing contents.rdf from install.js won't work for me, because i build mozilla with calendar. So i never run install.js :)
Assignee | ||
Comment 12•20 years ago
|
||
A new try to get it working with firefox and friends. Don't use an overlay, but just add a menuitem. Hide the menuitem based on the presence of wallet components. Somewhat evil, but it seems to work. thanks to mconnor for the idea.
Assignee: mostafah → mvl
Status: NEW → ASSIGNED
Assignee | ||
Updated•20 years ago
|
Attachment #149645 -
Flags: first-review?(mostafah)
Updated•20 years ago
|
Attachment #149645 -
Flags: first-review?(mostafah) → first-review+
Assignee | ||
Comment 13•20 years ago
|
||
patch checked in.
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Comment 14•20 years ago
|
||
For me it failed with Sunbird : *** Failed to load overlay chrome://communicator/content/utilityOverlay.xul
Assignee | ||
Comment 15•20 years ago
|
||
That isn't due to this checkin. It is bug bug 243091 (aka "we don't care about others, firefox is all that counts")
Assignee | ||
Comment 16•20 years ago
|
||
*** Bug 266203 has been marked as a duplicate of this bug. ***
Comment 17•19 years ago
|
||
*** Bug 295009 has been marked as a duplicate of this bug. ***
Comment 18•18 years ago
|
||
The bugspam monkeys have been set free and are feeding on Calendar :: General. Be afraid for your sanity!
QA Contact: gurganbl → general
You need to log in
before you can comment on or make changes to this bug.
Description
•