Page MenuHomePhabricator

User's password in response html
Closed, ResolvedPublic


Sherif reported that the mobile link seems to be appending POST fields when generating the url, so after submitting a username/password, the password is in the text of the resulting page.

curl -i -s -k -X 'POST' \

-H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:28.0) Gecko/20100101 Firefox/28.0' -H 'Referer:' -H 'Content-Type: application/x-www-form-urlencoded' \
-b 'GeoIP=GB::51.5000:-0.1300:v4; centralnotice_bucket=1-4.2; uls-previous-languages=%5B%22en%22%5D; mediaWiki.user.sessionId=YI03bpxPjata58Fp5ZwwvIEB1r9p3PZs; enwikiSession=414940d3638c0d8c1bc3899d56b23f1a' \
--data-binary $'wpName=%27%27&wpPassword=%27%27&wpLoginAttempt=Log+in&wpLoginToken=3037b08023402e508455f7340476341c' \

Version: unspecified
Severity: normal



Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 3:42 AM
bzimport set Reference to bz70009.
bzimport added a subscriber: Unknown Object (MLST).

Is any further action required on this? Is this Zero-related, or is it something for MobileFrontend? If it's MobileFrontend, could we get Max and Kaldari on this bug?

cherifmansour wrote:

I'll defer to Chris as he knows the code base way better than I do as to where the issue resides

For some reason I thought this was zero, but yeah, it looks more like mobile frontend. Max, can you take a look at this?

Created attachment 16681
Proposed fix

Proposed fix. Will commit tests separately because they would require FauxRequest changes in core to test reasonably.


The proposed fix looks good to me.