[Kimchi-devel] [PATCH] Avoid show user/password in url browser
Daniel Henrique Barboza
danielhb at linux.vnet.ibm.com
Tue Sep 1 20:30:43 UTC 2015
Reviewed-by: Daniel Barboza <dhbarboza82 at gmail.com>
Nice catch
On 09/01/2015 03:13 PM, Rodrigo Trujillo wrote:
> There is a remote, but real, possibility that kimchi.min.js breaks and
> is not loaded for some reason in Kimchi login page. If this happen, the
> form submmit action is not going to be binded to a javascript function
> that calls a AJAX POST request. Then the browser is going to submmit the
> form in the default way: using a GET request. GET requests add form data
> in the URL, so user will be able to see the user and password in the URL
> field and in the log:
>
> "GET /login.html?username=321&password=234 HTTP/1.0" 200 2936
> "https://localhost:8001/login.html" "Mozilla/5.0 (X11; Fedora; Linux
> x86_64; rv:39.0) Gecko/20100101 Firefox/39.0"
>
> This patch fixes this problem adding 'method="post"' in the login html
> form.
>
> Signed-off-by: Rodrigo Trujillo <rodrigo.trujillo at linux.vnet.ibm.com>
> ---
> ui/pages/login.html.tmpl | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/ui/pages/login.html.tmpl b/ui/pages/login.html.tmpl
> index e2f6855..55848b4 100644
> --- a/ui/pages/login.html.tmpl
> +++ b/ui/pages/login.html.tmpl
> @@ -79,7 +79,7 @@
> <div id="messUserPass" class="err-mess" style="display: none;">$_("The username or password you entered is incorrect. Please try again.")</div>
> <div id="messSession" class="err-mess" style="display: none;">$_("Session timeout, please re-login.")</div>
> </div>
> - <form id="form-login" class="login-panel">
> + <form id="form-login" class="login-panel" method="post">
> <div class="row">
> <input type="text" id="username" name="username" required="required" placeholder="$_("User Name")" autofocus/>
> <div id="username-msg" class="msg-required"></div>
More information about the Kimchi-devel
mailing list