diff options
| author | Joas Schilling <nickvergessen@gmx.de> | 2015-06-04 14:06:35 +0200 |
|---|---|---|
| committer | Joas Schilling <nickvergessen@gmx.de> | 2015-06-04 14:06:35 +0200 |
| commit | 6ca3a30576ae1bac68d5f4ef5dec286f000131ee (patch) | |
| tree | 0f2397a9f3cd6d47c8f338e06e792ed741c823c0 /phpBB/includes/acp/acp_board.php | |
| parent | db3782e4912e2945a546309dab38a4c00bd0f5c5 (diff) | |
| download | forums-6ca3a30576ae1bac68d5f4ef5dec286f000131ee.tar forums-6ca3a30576ae1bac68d5f4ef5dec286f000131ee.tar.gz forums-6ca3a30576ae1bac68d5f4ef5dec286f000131ee.tar.bz2 forums-6ca3a30576ae1bac68d5f4ef5dec286f000131ee.tar.xz forums-6ca3a30576ae1bac68d5f4ef5dec286f000131ee.zip | |
[ticket/sec-184] Do not output config passwords to the HTML page
SECURITY-184
Diffstat (limited to 'phpBB/includes/acp/acp_board.php')
| -rw-r--r-- | phpBB/includes/acp/acp_board.php | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/phpBB/includes/acp/acp_board.php b/phpBB/includes/acp/acp_board.php index a41a53226f..5247bb213d 100644 --- a/phpBB/includes/acp/acp_board.php +++ b/phpBB/includes/acp/acp_board.php @@ -500,7 +500,7 @@ class acp_board } // We go through the display_vars to make sure no one is trying to set variables he/she is not allowed to... - foreach ($display_vars['vars'] as $config_name => $null) + foreach ($display_vars['vars'] as $config_name => $data) { if (!isset($cfg_array[$config_name]) || strpos($config_name, 'legend') !== false) { @@ -532,6 +532,13 @@ class acp_board if ($submit) { + if (strpos($data['type'], 'password') === 0 && $config_value === '********') + { + // Do not update password fields if the content is ********, + // because that is the password replacement we use to not + // send the password to the output + continue; + } set_config($config_name, $config_value); if ($config_name == 'allow_quick_reply' && isset($_POST['allow_quick_reply_enable'])) |