From 6ca3a30576ae1bac68d5f4ef5dec286f000131ee Mon Sep 17 00:00:00 2001
From: Joas Schilling <nickvergessen@gmx.de>
Date: Thu, 4 Jun 2015 14:06:35 +0200
Subject: [ticket/sec-184] Do not output config passwords to the HTML page

SECURITY-184
---
 phpBB/includes/functions_acp.php | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'phpBB/includes/functions_acp.php')

diff --git a/phpBB/includes/functions_acp.php b/phpBB/includes/functions_acp.php
index a53a54368e..d566336d26 100644
--- a/phpBB/includes/functions_acp.php
+++ b/phpBB/includes/functions_acp.php
@@ -245,8 +245,13 @@ function build_cfg_template($tpl_type, $key, &$new, $config_key, $vars)
 
 	switch ($tpl_type[0])
 	{
-		case 'text':
 		case 'password':
+			if ($new[$config_key] !== '')
+			{
+				// replace passwords with asterixes
+				$new[$config_key] = '********';
+			}
+		case 'text':
 		case 'url':
 		case 'email':
 		case 'color':
-- 
cgit v1.2.1