Quick Start Wizard - Server Password in Cleartext

Questions and bug reports for Beta releases should be posted here.
Forum rules
Help us help you:
  • Tell us what system you run SABnzbd on.
  • Adhere to the forum rules.
  • Do you experience problems during downloading?
    Check your connection in Status and Interface settings window.
    Use Test Server in Config > Servers.
    We will probably ask you to do a test using only basic settings.
  • Do you experience problems during repair or unpacking?
    Enable +Debug logging in the Status and Interface settings window and share the relevant parts of the log here using [ code ] sections.
Post Reply
smidley
Jr. Member
Jr. Member
Posts: 64
Joined: January 29th, 2010, 11:34 pm

Quick Start Wizard - Server Password in Cleartext

Post by smidley »

When setting up sab 0.8 beta 3 using the quickstart wizard, it asks for your usenet server info. When you enter in the username and password, it shows up as clear text for the password. This should be censored out.
User avatar
shypike
Administrator
Administrator
Posts: 19774
Joined: January 18th, 2008, 12:49 pm

Re: Quick Start Wizard - Server Password in Cleartext

Post by shypike »

It should not.
Must be a recently introduced bug.
smidley
Jr. Member
Jr. Member
Posts: 64
Joined: January 29th, 2010, 11:34 pm

Re: Quick Start Wizard - Server Password in Cleartext

Post by smidley »

That's what I thought. Consider this my bug report :)
User avatar
safihre
Administrator
Administrator
Posts: 5521
Joined: April 30th, 2015, 7:35 am
Contact:

Re: Quick Start Wizard - Server Password in Cleartext

Post by safihre »

This is done on purpose:
While before password managers of browsers such as Chrome and Firefox would look for fields named Username and Password, now they will ask you to 'Save a password' as soon as they detect a password type field on the screen, whatever we name it.
If the users then in the wizzard let's the browser save their password, later it will very aggressively try to automatically fill that username and password everywhere it thinks there is something to fill. In the case of Sabnzbd, we had cases where this caused the browser to fill the server username and pass for the general Sabnzbd password in the first page of the Config.. Causing people to be locked out of their sabnzbd after hitting save and not noticing that.
Also, it might look censored, but it's only a visual browser trick in case anyone is looking over your shoulder.. Any code can still easily read the field.
So we chose to remove any password type field to avoid accidental fills by browsers or password managers.
In the config you will see passwords being replaced by ********, so it only is visible for those few moments during the wizzard.
If you like our support, check our special newsserver deal or donate at: https://sabnzbd.org/donate
Post Reply