never send passwords back to client, instead send a number of asterisks and replace them again on server-side

2024-11-07 16:44:20 +01:00 · 2013-11-04 09:11:11 +00:00 · 2013-11-04 09:11:11 +00:00 · 1fe139c822
commit 1fe139c822
parent a1b66d286d
1 changed files with 35 additions and 1 deletions
--- a/etemplate/inc/class.etemplate_widget_textbox.inc.php
+++ b/etemplate/inc/class.etemplate_widget_textbox.inc.php
@ -7,7 +7,7 @@
 * @subpackage api
 * @link http://www.egroupware.org
 * @author Ralf Becker <RalfBecker@outdoor-training.de>
- * @copyright 2002-11 by RalfBecker@outdoor-training.de
+ * @copyright 2002-13 by RalfBecker@outdoor-training.de
 * @version $Id$
 */

@ -18,6 +18,7 @@
 * - float
 * - hidden
 * - colorpicker
+ * - passwd (passwords are never send back to client, instead a number of asterisks is send and replaced again!)
 * sub-types are either passed to constructor or set via 'type' attribute!
 */
 class etemplate_widget_textbox extends etemplate_widget
@ -67,6 +68,28 @@ class etemplate_widget_textbox extends etemplate_widget
 		return $this;
 	}

+	/**
+	 * Set up what we know on the server side.
+	 *
+	 * @param string $cname
+	 * @param array $expand values for keys 'c', 'row', 'c_', 'row_', 'cont'
+	 */
+	public function beforeSendToClient($cname, array $expand)
+	{
+		// to NOT transmit passwords back to client, we need to store (non-empty) value in preserv
+		if ($this->attrs['type'] == 'passwd' || $this->type == 'passwd')
+		{
+			$form_name = self::form_name($cname, $this->id, $expand);
+			$value =& self::get_array(self::$request->content, $form_name);
+			if (!empty($value))
+			{
+				$preserv =& self::get_array(self::$request->preserv, $form_name, true);
+				$preserv = (string)$value;
+				$value = str_repeat('*', strlen($preserv));
+			}
+		}
+	}
+
 	/**
 	 * Validate input
 	 *
@ -108,6 +131,17 @@ class etemplate_widget_textbox extends etemplate_widget
 			$value = $value_in = self::get_array($content, $form_name);
 			$valid =& self::get_array($validated, $form_name, true);

+			// passwords are not transmitted back to client (just asterisks)
+			// therefore we need to replace it again with preserved value
+			if (($this->attrs['type'] == 'passwd' || $this->type == 'passwd'))
+			{
+				$preserv = self::get_array(self::$request->preserv, $form_name);
+				if ($value == str_repeat('*', strlen($preserv)))
+				{
+					$value = $preserv;
+				}
+			}
+
 			if ((string)$value === '' && $this->attrs['needed'])
 			{
 				self::set_validation_error($form_name,lang('Field must not be empty !!!'),'');