Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SessionProvider MySQL credentials are shown in the admin GUI as plaintext #7147

Closed
2 of 7 tasks
vpr-ossteam opened this issue Jun 6, 2019 · 5 comments · Fixed by #7300 or #9137
Closed
2 of 7 tasks

SessionProvider MySQL credentials are shown in the admin GUI as plaintext #7147

vpr-ossteam opened this issue Jun 6, 2019 · 5 comments · Fixed by #7300 or #9137
Labels
topic/security Something leaks user information or is otherwise vulnerable. Should be fixed!
Milestone
1.9.0

Comments

@vpr-ossteam
Copy link

  • Gitea version (or commit ref): 1.8.1
  • Git version: 2.7.4
  • Operating system: Ubuntu 16.04
  • Database (use [x]):
    • PostgreSQL
    • MySQL
    • MSSQL
    • SQLite
  • Can you reproduce the bug at https://try.gitea.io:
    • Yes (provide example URL)
    • No
    • Not relevant
  • Log gist:

Description

Greetings!
I'm using Gitea 1.8.1 with MySQL 5.7. And if I'm using MySQL for session storing purposes, I can see the credentials in GUI as plaintext.

Steps to reproduce

  1. Select MySQL like a sessions storage in the config file:
[session]
PROVIDER        = mysql
PROVIDER_CONFIG = someclient:somepassword@tcp(srv-mysql:3306)/someclient
  1. Reload Gitea
  2. Login in into Gitea with admin credentials
  3. Follow this way: Site Administration ⇒ Configuration ⇒ Session Configuration ⇒ Provider Config

Screenshots

20190525-152945
@zeripath zeripath changed the title MySQL credentials are shown in the GUI as plaintext SessionProvider MySQL credentials are shown in the GUI as plaintext Jun 6, 2019
@zeripath zeripath changed the title SessionProvider MySQL credentials are shown in the GUI as plaintext SessionProvider MySQL credentials are shown in the admin GUI as plaintext Jun 6, 2019
@lunny lunny added the topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! label Jun 8, 2019
@lunny lunny added this to the 1.9.0 milestone Jun 8, 2019
@lunny lunny mentioned this issue Jun 26, 2019
Merged
@markkrj
Copy link

markkrj commented Nov 21, 2019
edited
Loading

I still can see the password. I'm on version 1.10.0.
image

Edit: Tested same config with 1.9.0 and also shows unmasked password.

@zeripath
Copy link
Contributor

This was reFixed in #9002 and #8984

@markkrj
Copy link

markkrj commented Nov 22, 2019

@zeripath Well, now it shows nothing:
image
Running 1.10.0+10-gade5ec5aa

But still better than showing credentials.

@zeripath
Copy link
Contributor

Do you have/get any logs?

@markkrj
Copy link

markkrj commented Nov 22, 2019

No errors or strange logs in console, just usual router logs... I have the default gitea.log. Tell me if you need more.

@zeripath zeripath mentioned this issue Nov 24, 2019
Merged
@6543 6543 mentioned this issue Nov 29, 2019
Merged
techknowlogick pushed a commit that referenced this issue Nov 29, 2019
@6543 @techknowlogick
Properly fix displaying virtual session provider in admin panel (#9137)…
f36efe0 
… (#9203)

* Properly fix #7147

Although #7300 properly shadows the password from the virtual session
provider, the template displaying the provider config still presumed
that the config was JSON.

This PR updates the template and properly hides the Virtual Session
provider.

Fixes #7147

* update per @silverwind's suggestion
@go-gitea go-gitea locked and limited conversation to collaborators Nov 24, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
topic/security Something leaks user information or is otherwise vulnerable. Should be fixed!
Projects
None yet
Milestone
1.9.0
4 participants
@lunny @zeripath @markkrj @vpr-ossteam