[PATCH 2 of 8] admin: e-mail: remove display of SMTP password
Mads Kiilerich
mads at kiilerich.com
Thu Jul 23 12:11:21 UTC 2015
On 07/22/2015 09:50 PM, Thomas De Schampheleire wrote:
> # HG changeset patch
> # User Thomas De Schampheleire <thomas.de.schampheleire at gmail.com>
> # Date 1437508363 -7200
> # Tue Jul 21 21:52:43 2015 +0200
> # Node ID f219f0a41f57655dd2125c9371db9ee1ac217a4b
> # Parent 27fbaba10257132c1087a3dc7f7c2bdfd4b5ab9e
> admin: e-mail: remove display of SMTP password
>
> It is quite useless, and in a way a security leak, to display the length of
> the SMTP password when showing the e-mail settings.
> Removing any reference to the SMTP password has the additional advantage of
> making subsequent cleanup on this page easier.
I don't really know how valuable it is to show .ini values in the UI
(there is a lot of other settings we don't show - we either should or
shouldn't) BUT when we show email settings, I think it is quite relevant
to also show whether there is a password or not.
Perhaps do a
c.ini['smtp_password_hidden'] = '******' if c.ini.get('smtp_password')
else ''
and display that instead.
/Mads
>
> diff --git a/kallithea/templates/admin/settings/settings_email.html b/kallithea/templates/admin/settings/settings_email.html
> --- a/kallithea/templates/admin/settings/settings_email.html
> +++ b/kallithea/templates/admin/settings/settings_email.html
> @@ -8,7 +8,6 @@
>
> (_('SMTP server'), c.ini.get('smtp_server'), ''),
> (_('SMTP username'), c.ini.get('smtp_username'), ''),
> - (_('SMTP password'), '%s chars' % len(c.ini.get('smtp_password', '')), ''),
> (_('SMTP port'), c.ini.get('smtp_port'), ''),
>
> (_('SMTP use TLS'), c.ini.get('smtp_use_tls'), ''),
More information about the kallithea-general
mailing list