[sork] Passwd backends
Eric Rostetter
eric.rostetter at physics.utexas.edu
Mon Jan 31 14:40:52 PST 2005
Quoting Eric Rostetter <eric.rostetter at physics.utexas.edu>:
> If you make your form read-only, then I can download the form, change it
> to be non-read-only, and submit it back with the username changed.
I just checked the code, and it makes the field "hidden" when you don't
want the username shown/changed. This is no more secure than the "read-only"
solution unfortunately.
> If you make the option to change the username a configuration value,
> then *hopefully* the code will enforce that by always using a Horde
> provided username and not a form-submitted (user provided data) username,
> so there is no way to circumvent the restriction.
The code does not appear to check for this.
In any case, I've added code the CVS RELENG_2 branch of passwd (back ported
from CVS HEAD) to not show/hide the username field based on a configuration
setting. It should show up in the next snapshot (tonight I guess).
Diff's for those who want them are at:
http://cvs.horde.org/diff.php/passwd/config/Attic/conf.php.dist?sa=1&r1=1.1.1.1.2.3&r2=1.1.1.1.2.4&ty=u
http://cvs.horde.org/diff.php/passwd/docs/CHANGES?r1=1.1.1.1.2.31&r2=1.1.1.1.2.32&ty=u
http://cvs.horde.org/diff.php/passwd/templates/main/main.inc?r1=1.3.2.3&r2=1.3.2.4&ty=u
The default configuration is to still show the field for backwards
compatibility.
--
Eric Rostetter
The Department of Physics
The University of Texas at Austin
Why get even? Get odd!
More information about the sork
mailing list