Re: [Postfixadmin-devel] SF.net SVN: postfixadmin:[482] trunk
Brought to you by:
christian_boltz,
gingerdog
Menu
▾
▴
Re: [Postfixadmin-devel] SF.net SVN: postfixadmin:[482] trunk
|
From: Christian B. <pos...@cb...> - 2008-11-21 23:01:01
|
Hello, Am Donnerstag, 13. November 2008 schrieb Gin...@us...: > Revision: 482 > patch from int on irc - if $CONF[show_passwords] then do so > Modified: trunk/templates/edit-mailbox.php > Modified: trunk/edit-mailbox.php I'd like to revert this change. Reasons: IMHO, showing the password is (only) useful at _mailbox creation_ to check the password (or to note it down if you used an autogenerated one). But it isn't useful when editing mailboxes for several reasons: - the password field will just display stars, the "real" password will only be visible in the HTML source. That's useless. - the HTML source (including the password) might be stored in the browser cache - which implies some security risk - if the password is stored encrypted in the database, it will be displayed encrypted - which is more than useless ;-) - edit-mailbox might think the user wants to change the password (because the password field isn't empty). This might result in semi-random passwords if passwords are stored encrypted in the database - the password hash will become the new password. (untested, but that's how I remember the code.) Summary: There's no advantage for the user, but some possible problems. GingerDog, do you agree on reverting this change? Regards, Christian Boltz -- I understand German well. But replying in German would make me look like Trapatonni... [Jaime Santos in suse-laptop] |
