Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-19948

Password hash might be leaked by diff once the xobject holding them is deleted

    XMLWordPrintable

Details

    • Unknown
    • N/A

    Description

      Reproduction steps:

      • Create a user
      • With Admin account, go to the user page in object editor, remove the user xobject and save
      • Perform a diff between last version and previous one

      Expected result:

      • the password is obfuscated in the diff

      Obtained result:

      • the password value is displayed (should be a hash)

      See attached screenshot.

      Attachments

        Issue Links

          Activity

            People

              surli Simon Urli
              surli Simon Urli
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: