Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-8936

Watchlist dumps user's password hashes in its regular update mails

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Critical
    • 5.0-rc-1
    • 4.5.2
    • {Unused} Watchlist
    • None
    • Easy
    • N/A
    • N/A

    Description

      Watchlist regularly sends the diff of the changes on the watched documents for the past day. In this diff, new users or users that have updated their passwords will have their password hash printed out in the diff of the email that Watchlist sends out.

      This is caused by XWIKI-5261, but even so, Watchlist (or the underlying new/old diff module used by Watchlist) could simply choose to skip Password properties altogether, in an attempt to limit the proliferation of password hashes outside XWiki.

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-5261 Password hashes dumpable

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed

          Improvement - An improvement or enhancement to an existing feature or task. XWIKI-8932 Improve the way changes are displayed in Watchlist notification emails

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed
          links to

          Web Link Pull Request

          Activity

            People

              thomas_delafosse Thomas Delafosse
              enygma Eduard Moraru
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: