Security hardening: don't store the password as plain text

Created on 28 August 2024, 4 months ago
Updated 16 September 2024, 3 months ago

Problem/Motivation

This was already reported to the Drupal Security Team, and they advised that it should be a public issue because exporting configuration requires advanced permissions.

Debug Report

You can see this vulnerability by:
1. Enabling the LDAP Servers module
2. At /admin/config/people/ldap/server configure a "server" to use "Service Account Bind" and set a password

3. `drush cex -y`
Note in `ldap_servers.server.[server-name].yml` the password that you entered is now in your codebase in plain text.

Proposed resolution

Either:
* Set Key β†’ module as an explicit requirement and directly integrate with it.
* Add help text to recommend installing Key module and manually doing it yourself via its interface.

Remaining tasks

* Decide
* Implement

User interface changes

TBD

API changes

None

Data model changes

None

✨ Feature request
Status

Closed: works as designed

Version

4.0

Component

Code

Created by

πŸ‡¨πŸ‡¦Canada dalin Guelph, πŸ‡¨πŸ‡¦, 🌍

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Production build 0.71.5 2024