From 8ee5d51bd47279d5b23c409744fab6614af0e918 Mon Sep 17 00:00:00 2001 From: Jeremy Lin Date: Sat, 10 Jul 2021 01:20:37 -0700 Subject: [PATCH] Disable `show_password_hint` by default A setting that provides unauthenticated access to potentially sensitive data shouldn't be enabled by default. --- .env.template | 6 ++++-- src/config.rs | 7 ++++--- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/.env.template b/.env.template index 530a6a01..1662080e 100644 --- a/.env.template +++ b/.env.template @@ -210,8 +210,10 @@ ## The change only applies when the password is changed # PASSWORD_ITERATIONS=100000 -## Whether password hint should be sent into the error response when the client request it -# SHOW_PASSWORD_HINT=true +## Controls whether a password hint should be shown directly in the web page if +## SMTP service is not configured. Not recommended for publicly-accessible instances +## as this provides unauthenticated access to potentially sensitive data. +# SHOW_PASSWORD_HINT=false ## Domain settings ## The domain must match the address from where you access the server diff --git a/src/config.rs b/src/config.rs index 6b4fce59..347b0c5e 100644 --- a/src/config.rs +++ b/src/config.rs @@ -388,9 +388,10 @@ make_config! { /// Password iterations |> Number of server-side passwords hashing iterations. /// The changes only apply when a user changes their password. Not recommended to lower the value password_iterations: i32, true, def, 100_000; - /// Show password hints |> Controls if the password hint should be shown directly in the web page. - /// Otherwise, if email is disabled, there is no way to see the password hint - show_password_hint: bool, true, def, true; + /// Show password hint |> Controls whether a password hint should be shown directly in the web page + /// if SMTP service is not configured. Not recommended for publicly-accessible instances as this + /// provides unauthenticated access to potentially sensitive data. + show_password_hint: bool, true, def, false; /// Admin page token |> The token used to authenticate in this very same page. Changing it here won't deauthorize the current session admin_token: Pass, true, option;