From 78b0c938a25316be1228c3e8117ef7dd859821d7 Mon Sep 17 00:00:00 2001 From: Joas Schilling Date: Thu, 4 Jun 2015 14:29:03 +0200 Subject: [ticket/sec-184] Do not output LDAP password to HTML SECURITY-184 --- phpBB/includes/acp/acp_board.php | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'phpBB/includes/acp') diff --git a/phpBB/includes/acp/acp_board.php b/phpBB/includes/acp/acp_board.php index 5247bb213d..4a1c74fd77 100644 --- a/phpBB/includes/acp/acp_board.php +++ b/phpBB/includes/acp/acp_board.php @@ -567,6 +567,7 @@ class acp_board $old_auth_config = array(); foreach ($auth_providers as $provider) { + /** @var \phpbb\auth\provider\provider_interface $provider */ if ($fields = $provider->acp()) { // Check if we need to create config fields for this plugin and save config when submit was pressed @@ -582,6 +583,14 @@ class acp_board continue; } + if (substr($field, -9) === '_password' && $cfg_array[$field] === '********') + { + // Do not update password fields if the content is ********, + // because that is the password replacement we use to not + // send the password to the output + continue; + } + $old_auth_config[$field] = $this->new_config[$field]; $config_value = $cfg_array[$field]; $this->new_config[$field] = $config_value; -- cgit v1.2.1