forum.coppermine-gallery.net

No Support => Feature requests => Scheduled for cpg1.5.x => Topic started by: trmentry on October 08, 2005, 12:47:08 am

Title: Password Shows during New Install of 1.4.1
Post by: trmentry on October 08, 2005, 12:47:08 am

Hello,

I just downloaded 1.4.1 to give it a try.  The same image in multiple albums has great appeal. :)

Anyway, one thing I noticed is that when running the install.php shows the password for the administrator in the 'clear'.  Its not stared out.  ie:  *******

Also I think it would be benefical to have 2 password fields, 1 for the password and 1 to verify.  And of course, star'ed out. 

I'm running on my own custom server:
Gentoo 2005.1
Apache 2
GD is installed and I'm currently emerging ImageMagick
PHP 4.4.0
MySQL 4.0.25
Standalone Version

I'll finish the install once I get Imagemagick compiled. 

Thanks

Title: Re: Password Shows during New Install of 1.4.1
Post by: artistsinhawaii on October 08, 2005, 01:14:20 am

Have you downloaded all of the latest updates from CVS? Do a version check from Admin Tools.

Mine doesn't show the password but rather black dots in it's place.

Insofar as adding a second verification password field, that would have to be submitted in the  feature request board.  There is freeze on  new features for 1.4x.

Dennis

Title: Re: Password Shows during New Install of 1.4.1
Post by: Nibbler on October 08, 2005, 06:41:02 pm

The installer doesn't mask the password, it never has. I wouldn't consider it a bug though.

Title: Re: Password Shows during New Install of 1.4.1
Post by: trmentry on October 08, 2005, 07:21:07 pm

Thanks for the info Nibbler.  Its been a long time since I did a fresh install of CPG.  My 1.3x install is running nicely and didn't remember if the password was masked or not when I first installed it.

Title: Re: Password Shows during New Install of 1.4.1
Post by: Joachim Müller on October 10, 2005, 07:33:15 am

All of the info entered into the installer is highly-sensitive: the mySQL data is much more important than the coppermine admin password imo. The installer shouldn't be executed on an untrusted machine at all (e.g. an internet café). There's always the possibility of a man-in-the-middle attack though, but then again it won't help to make the input fields display only asterisks instead of the plain text, as the data currently will be sent unencrypted anyway. To actually make this process more secure, the whole installer would have to be re-coded from scratch, which is not an option for cpg1.4.x (we have a feature freeze, remember). Imo this is not a bug, but a missing feature, so I'm moving this thread from "CPG 1.4 Testing/Bugs" to approved feature requests.
The installer has been on my personal list of stuff that needs improvement anyway, so as this thread now exists, let's summarize what I would like changed:

• wizard-like interface: there are too many fields that need to be filled out in just one step, which makes the installer hard to use for newbies. That's why I would like to have an installer that leads the user though all the data step by step
• internationalization needed: the installer should be able to come in many languages, with the default language being the one the user's browser is set to (if this language exists)
• There should be checks in the installer if albums and include folder are writable (not using is_writable, but instead actually write dummy files and delete them again).
• There should be checks for the image library the user has chosen (valid IM path)
• There should be checks if the mySQL data is correct. All needed mySQL commands should be checked (is the mySQL user actually capable to execute a "create table" query etc.?)
• The form fields for all sensitive data could be done using some JavaScript code that reads the input client-sided, encrypts it (client sided) and puts the encrypted stuff into hidden fields that finally get sent, while the original input fields get cleared on submit

Joachim