[PATCH] Avoid show user/password in url browser
There is a remote, but real, possibility that kimchi.min.js breaks and is not loaded for some reason in Kimchi login page. If this happen, the form submmit action is not going to be binded to a javascript function that calls a AJAX POST request. Then the browser is going to submmit the form in the default way: using a GET request. GET requests add form data in the URL, so user will be able to see the user and password in the URL field and in the log: "GET /login.html?username=321&password=234 HTTP/1.0" 200 2936 "https://localhost:8001/login.html" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0" This patch fixes this problem adding 'method="post"' in the login html form. Signed-off-by: Rodrigo Trujillo <rodrigo.trujillo@linux.vnet.ibm.com> --- ui/pages/login.html.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ui/pages/login.html.tmpl b/ui/pages/login.html.tmpl index e2f6855..55848b4 100644 --- a/ui/pages/login.html.tmpl +++ b/ui/pages/login.html.tmpl @@ -79,7 +79,7 @@ <div id="messUserPass" class="err-mess" style="display: none;">$_("The username or password you entered is incorrect. Please try again.")</div> <div id="messSession" class="err-mess" style="display: none;">$_("Session timeout, please re-login.")</div> </div> - <form id="form-login" class="login-panel"> + <form id="form-login" class="login-panel" method="post"> <div class="row"> <input type="text" id="username" name="username" required="required" placeholder="$_("User Name")" autofocus/> <div id="username-msg" class="msg-required"></div> -- 2.1.0
Reviewed-By: Ramon Medeiros <ramonn@br.ibm.com> On 09/01/2015 03:13 PM, Rodrigo Trujillo wrote:
There is a remote, but real, possibility that kimchi.min.js breaks and is not loaded for some reason in Kimchi login page. If this happen, the form submmit action is not going to be binded to a javascript function that calls a AJAX POST request. Then the browser is going to submmit the form in the default way: using a GET request. GET requests add form data in the URL, so user will be able to see the user and password in the URL field and in the log:
"GET /login.html?username=321&password=234 HTTP/1.0" 200 2936 "https://localhost:8001/login.html" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0"
This patch fixes this problem adding 'method="post"' in the login html form.
Signed-off-by: Rodrigo Trujillo <rodrigo.trujillo@linux.vnet.ibm.com> --- ui/pages/login.html.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ui/pages/login.html.tmpl b/ui/pages/login.html.tmpl index e2f6855..55848b4 100644 --- a/ui/pages/login.html.tmpl +++ b/ui/pages/login.html.tmpl @@ -79,7 +79,7 @@ <div id="messUserPass" class="err-mess" style="display: none;">$_("The username or password you entered is incorrect. Please try again.")</div> <div id="messSession" class="err-mess" style="display: none;">$_("Session timeout, please re-login.")</div> </div> - <form id="form-login" class="login-panel"> + <form id="form-login" class="login-panel" method="post"> <div class="row"> <input type="text" id="username" name="username" required="required" placeholder="$_("User Name")" autofocus/> <div id="username-msg" class="msg-required"></div>
-- Ramon Nunes Medeiros Kimchi Developer Linux Technology Center Brazil IBM Systems & Technology Group Phone : +55 19 2132 7878 ramonn@br.ibm.com
HI, I've applied the same fix to wok branch / new-ui template files. I will include in the next series of patches. Thanks, Samuel -----Original Message----- From: kimchi-devel-bounces@ovirt.org [mailto:kimchi-devel-bounces@ovirt.org] On Behalf Of Rodrigo Trujillo Sent: terça-feira, 1 de setembro de 2015 15:13 To: kimchi-devel@ovirt.org Subject: [Kimchi-devel] [PATCH] Avoid show user/password in url browser There is a remote, but real, possibility that kimchi.min.js breaks and is not loaded for some reason in Kimchi login page. If this happen, the form submmit action is not going to be binded to a javascript function that calls a AJAX POST request. Then the browser is going to submmit the form in the default way: using a GET request. GET requests add form data in the URL, so user will be able to see the user and password in the URL field and in the log: "GET /login.html?username=321&password=234 HTTP/1.0" 200 2936 "https://localhost:8001/login.html" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0" This patch fixes this problem adding 'method="post"' in the login html form. Signed-off-by: Rodrigo Trujillo <rodrigo.trujillo@linux.vnet.ibm.com> --- ui/pages/login.html.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ui/pages/login.html.tmpl b/ui/pages/login.html.tmpl index e2f6855..55848b4 100644 --- a/ui/pages/login.html.tmpl +++ b/ui/pages/login.html.tmpl @@ -79,7 +79,7 @@ <div id="messUserPass" class="err-mess" style="display: none;">$_("The username or password you entered is incorrect. Please try again.")</div> <div id="messSession" class="err-mess" style="display: none;">$_("Session timeout, please re-login.")</div> </div> - <form id="form-login" class="login-panel"> + <form id="form-login" class="login-panel" method="post"> <div class="row"> <input type="text" id="username" name="username" required="required" placeholder="$_("User Name")" autofocus/> <div id="username-msg" class="msg-required"></div> -- 2.1.0 _______________________________________________ Kimchi-devel mailing list Kimchi-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/kimchi-devel
Hi Samuel, This patch was applied into master branch which will be merged with wok by the end of the month. So to avoid conflicts you can discard your patch on wok. Regards, Aline Manera On 01/09/2015 16:22, Samuel Henrique De Oliveira Guimaraes wrote:
HI,
I've applied the same fix to wok branch / new-ui template files. I will include in the next series of patches.
Thanks, Samuel
-----Original Message----- From: kimchi-devel-bounces@ovirt.org [mailto:kimchi-devel-bounces@ovirt.org] On Behalf Of Rodrigo Trujillo Sent: terça-feira, 1 de setembro de 2015 15:13 To: kimchi-devel@ovirt.org Subject: [Kimchi-devel] [PATCH] Avoid show user/password in url browser
There is a remote, but real, possibility that kimchi.min.js breaks and is not loaded for some reason in Kimchi login page. If this happen, the form submmit action is not going to be binded to a javascript function that calls a AJAX POST request. Then the browser is going to submmit the form in the default way: using a GET request. GET requests add form data in the URL, so user will be able to see the user and password in the URL field and in the log:
"GET /login.html?username=321&password=234 HTTP/1.0" 200 2936 "https://localhost:8001/login.html" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0"
This patch fixes this problem adding 'method="post"' in the login html form.
Signed-off-by: Rodrigo Trujillo <rodrigo.trujillo@linux.vnet.ibm.com> --- ui/pages/login.html.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ui/pages/login.html.tmpl b/ui/pages/login.html.tmpl index e2f6855..55848b4 100644 --- a/ui/pages/login.html.tmpl +++ b/ui/pages/login.html.tmpl @@ -79,7 +79,7 @@ <div id="messUserPass" class="err-mess" style="display: none;">$_("The username or password you entered is incorrect. Please try again.")</div> <div id="messSession" class="err-mess" style="display: none;">$_("Session timeout, please re-login.")</div> </div> - <form id="form-login" class="login-panel"> + <form id="form-login" class="login-panel" method="post"> <div class="row"> <input type="text" id="username" name="username" required="required" placeholder="$_("User Name")" autofocus/> <div id="username-msg" class="msg-required"></div> -- 2.1.0
_______________________________________________ Kimchi-devel mailing list Kimchi-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/kimchi-devel _______________________________________________ Kimchi-devel mailing list Kimchi-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/kimchi-devel
Reviewed-by: Daniel Barboza <dhbarboza82@gmail.com> Nice catch On 09/01/2015 03:13 PM, Rodrigo Trujillo wrote:
There is a remote, but real, possibility that kimchi.min.js breaks and is not loaded for some reason in Kimchi login page. If this happen, the form submmit action is not going to be binded to a javascript function that calls a AJAX POST request. Then the browser is going to submmit the form in the default way: using a GET request. GET requests add form data in the URL, so user will be able to see the user and password in the URL field and in the log:
"GET /login.html?username=321&password=234 HTTP/1.0" 200 2936 "https://localhost:8001/login.html" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0"
This patch fixes this problem adding 'method="post"' in the login html form.
Signed-off-by: Rodrigo Trujillo <rodrigo.trujillo@linux.vnet.ibm.com> --- ui/pages/login.html.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ui/pages/login.html.tmpl b/ui/pages/login.html.tmpl index e2f6855..55848b4 100644 --- a/ui/pages/login.html.tmpl +++ b/ui/pages/login.html.tmpl @@ -79,7 +79,7 @@ <div id="messUserPass" class="err-mess" style="display: none;">$_("The username or password you entered is incorrect. Please try again.")</div> <div id="messSession" class="err-mess" style="display: none;">$_("Session timeout, please re-login.")</div> </div> - <form id="form-login" class="login-panel"> + <form id="form-login" class="login-panel" method="post"> <div class="row"> <input type="text" id="username" name="username" required="required" placeholder="$_("User Name")" autofocus/> <div id="username-msg" class="msg-required"></div>
Applied. Thanks. Regards, Aline Manera
Hi Rodrigo, is this a fix for issue #714? On 09/01/2015 03:13 PM, Rodrigo Trujillo wrote:
There is a remote, but real, possibility that kimchi.min.js breaks and is not loaded for some reason in Kimchi login page. If this happen, the form submmit action is not going to be binded to a javascript function that calls a AJAX POST request. Then the browser is going to submmit the form in the default way: using a GET request. GET requests add form data in the URL, so user will be able to see the user and password in the URL field and in the log:
"GET /login.html?username=321&password=234 HTTP/1.0" 200 2936 "https://localhost:8001/login.html" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0"
This patch fixes this problem adding 'method="post"' in the login html form.
Signed-off-by: Rodrigo Trujillo <rodrigo.trujillo@linux.vnet.ibm.com> --- ui/pages/login.html.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ui/pages/login.html.tmpl b/ui/pages/login.html.tmpl index e2f6855..55848b4 100644 --- a/ui/pages/login.html.tmpl +++ b/ui/pages/login.html.tmpl @@ -79,7 +79,7 @@ <div id="messUserPass" class="err-mess" style="display: none;">$_("The username or password you entered is incorrect. Please try again.")</div> <div id="messSession" class="err-mess" style="display: none;">$_("Session timeout, please re-login.")</div> </div> - <form id="form-login" class="login-panel"> + <form id="form-login" class="login-panel" method="post"> <div class="row"> <input type="text" id="username" name="username" required="required" placeholder="$_("User Name")" autofocus/> <div id="username-msg" class="msg-required"></div>
-- Lucio Correia Software Engineer IBM LTC Brazil
On 01/10/2015 13:51, Lucio Correia wrote:
Hi Rodrigo, is this a fix for issue #714?
Yeap! Thank, Lucio! I've just closed the issue.
On 09/01/2015 03:13 PM, Rodrigo Trujillo wrote:
There is a remote, but real, possibility that kimchi.min.js breaks and is not loaded for some reason in Kimchi login page. If this happen, the form submmit action is not going to be binded to a javascript function that calls a AJAX POST request. Then the browser is going to submmit the form in the default way: using a GET request. GET requests add form data in the URL, so user will be able to see the user and password in the URL field and in the log:
"GET /login.html?username=321&password=234 HTTP/1.0" 200 2936 "https://localhost:8001/login.html" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0"
This patch fixes this problem adding 'method="post"' in the login html form.
Signed-off-by: Rodrigo Trujillo <rodrigo.trujillo@linux.vnet.ibm.com> --- ui/pages/login.html.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ui/pages/login.html.tmpl b/ui/pages/login.html.tmpl index e2f6855..55848b4 100644 --- a/ui/pages/login.html.tmpl +++ b/ui/pages/login.html.tmpl @@ -79,7 +79,7 @@ <div id="messUserPass" class="err-mess" style="display: none;">$_("The username or password you entered is incorrect. Please try again.")</div> <div id="messSession" class="err-mess" style="display: none;">$_("Session timeout, please re-login.")</div> </div> - <form id="form-login" class="login-panel"> + <form id="form-login" class="login-panel" method="post"> <div class="row"> <input type="text" id="username" name="username" required="required" placeholder="$_("User Name")" autofocus/> <div id="username-msg" class="msg-required"></div>
participants (6)
-
Aline Manera -
Daniel Henrique Barboza -
Lucio Correia -
Ramon Medeiros -
Rodrigo Trujillo -
Samuel Henrique De Oliveira Guimaraes