[Kimchi-devel] [PATCH] Avoid show user/password in url browser

Daniel Henrique Barboza danielhb at linux.vnet.ibm.com
Tue Sep 1 20:30:43 UTC 2015


Reviewed-by: Daniel Barboza <dhbarboza82 at gmail.com>


Nice catch

On 09/01/2015 03:13 PM, Rodrigo Trujillo wrote:
> There is a remote, but real, possibility that kimchi.min.js breaks and
> is not loaded for some reason in Kimchi login page. If this happen, the
> form submmit action is not going to be binded to a javascript function
> that calls a AJAX POST request. Then the browser is going to submmit the
> form in the default way: using a GET request. GET requests add form data
> in the URL, so user will be able to see the user and password in the URL
> field and in the log:
>
> "GET /login.html?username=321&password=234 HTTP/1.0" 200 2936
> "https://localhost:8001/login.html" "Mozilla/5.0 (X11; Fedora; Linux
> x86_64; rv:39.0) Gecko/20100101 Firefox/39.0"
>
> This patch fixes this problem adding 'method="post"' in the login html
> form.
>
> Signed-off-by: Rodrigo Trujillo <rodrigo.trujillo at linux.vnet.ibm.com>
> ---
>   ui/pages/login.html.tmpl | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/ui/pages/login.html.tmpl b/ui/pages/login.html.tmpl
> index e2f6855..55848b4 100644
> --- a/ui/pages/login.html.tmpl
> +++ b/ui/pages/login.html.tmpl
> @@ -79,7 +79,7 @@
>           <div id="messUserPass" class="err-mess" style="display: none;">$_("The username or password you entered is incorrect. Please try again.")</div>
>           <div id="messSession" class="err-mess" style="display: none;">$_("Session timeout, please re-login.")</div>
>       </div>
> -    <form id="form-login" class="login-panel">
> +    <form id="form-login" class="login-panel" method="post">
>           <div class="row">
>               <input type="text" id="username" name="username" required="required" placeholder="$_("User Name")" autofocus/>
>               <div id="username-msg" class="msg-required"></div>




More information about the Kimchi-devel mailing list