plain text password in the database

[ukcb]

I can see my admin password in plain text in the database.

sessionstorage:-FWbiguBVxp1_VWLERNNheogwak9aewi {"cookie":
{"path":"/","_expires":null,"originalMaxAge":null,"httpOnly":true,"secure":false},
"passport":{},"user":{"password":"Here is a plain text password!",
"is_admin":true,"username":"admin"}}

That must not happen!

v1.6.6

[JohnMcLear]

Steps to replicate

1. Uncomment password section
2. Visit /admin
3. Cat var/dirty.db | grep YOURPASS

[JohnMcLear]

PR in to fix.
#3782

[alasserr]

Hi, the 5c5b99f commit makes etherpad not usable (at least with the Docker version) :

• at first login, the admin password is the one one's set it up from Docker variables environment
• but then the login is changed to "PASSWORD_HIDDEN"
  I'm not sure it only concerns Docker versions but this is a HUGE problem.

Using etherpad/etherpad (1.8.4) with postgresQL DB. From Docker. But I tried modifying the password directly in settings.json => same issue (first login OK, second > PASSWORD_HIDDEN) so I'm not sure it is 100% Docker related.

Edit : I confirm that when I remove the code added by @JohnMcLear on file src/node/db/SessionStore.js from lines 40 to 45 the password is now kept between sessions.

[JohnMcLear]

Weird. I'm not sure how doesn't affect non docker deployed versions tho?