Security: Prevent leak of POP3 passwords in html code.

2023-06-06 17:37:52 +02:00 · 2023-06-06 17:37:52 +02:00 · e2a4d687e8
commit e2a4d687e8
parent 76a58c77f5
3 changed files with 9 additions and 4 deletions
--- a/src/prefs.php
+++ b/src/prefs.php
@ -1355,7 +1355,13 @@ else if($_REQUEST['action'] == 'extpop3')
 		&& IsPOSTRequest())
 	{
 		$_REQUEST['p_user'] = str_replace(array("\n", "\r"), '', $_REQUEST['p_user']);
-		$_REQUEST['p_pass'] = str_replace(array("\n", "\r"), '', $_REQUEST['p_pass']);
+		if(empty($_REQUEST['p_pass'])) {
+			$account = $thisUser->GetPOP3Account((int)$_REQUEST['id']);
+			$_REQUEST['p_pass'] = $account['p_pass'];
+		}
+		else {
+			$_REQUEST['p_pass'] = str_replace(array("\n", "\r"), '', $_REQUEST['p_pass']);
+		}

 		if(CheckPOP3Login($_REQUEST['p_host'], (int)$_REQUEST['p_port'], $_REQUEST['p_user'], $_REQUEST['p_pass'], isset($_REQUEST['p_ssl'])))
 		{
--- a/src/templates/modern/js/prefs.js
+++ b/src/templates/modern/js/prefs.js
@ -96,7 +96,6 @@ function checkPOP3AccountForm(form)
 {
 	if(form.elements['p_host'].value.length < 2
 		|| form.elements['p_user'].value.length < 2
-		|| form.elements['p_pass'].value.length < 2
 		|| form.elements['p_port'].value.length < 1)
 	{
 		alert(lang['fillin']);
--- a/src/templates/modern/li/prefs.extpop3.edit.tpl
+++ b/src/templates/modern/li/prefs.extpop3.edit.tpl
@ -39,9 +39,9 @@
 			</td>
 		</tr>
 		<tr>
-			<td class="listTableLeft">* <label for="p_pass">{lng p="password"}:</label></td>
+			<td class="listTableLeft"><label for="p_pass">{lng p="password"}:</label></td>
 			<td class="listTableRight">
-				<input type="password" name="p_pass" id="p_pass" value="{if isset($account.p_pass)}{text value=$account.p_pass allowEmpty=true}{/if}" size="24" />
+				<input type="password" name="p_pass" id="p_pass" placeholder="****" size="24" />
 			</td>
 		</tr>
 		<tr>