Spiegel von
https://github.com/dani-garcia/vaultwarden.git
synchronisiert 2024-11-26 05:50:29 +01:00
Disable show_password_hint
by default
A setting that provides unauthenticated access to potentially sensitive data shouldn't be enabled by default.
Dieser Commit ist enthalten in:
Ursprung
3968bc8016
Commit
8ee5d51bd4
2 geänderte Dateien mit 8 neuen und 5 gelöschten Zeilen
|
@ -210,8 +210,10 @@
|
||||||
## The change only applies when the password is changed
|
## The change only applies when the password is changed
|
||||||
# PASSWORD_ITERATIONS=100000
|
# PASSWORD_ITERATIONS=100000
|
||||||
|
|
||||||
## Whether password hint should be sent into the error response when the client request it
|
## Controls whether a password hint should be shown directly in the web page if
|
||||||
# SHOW_PASSWORD_HINT=true
|
## SMTP service is not configured. Not recommended for publicly-accessible instances
|
||||||
|
## as this provides unauthenticated access to potentially sensitive data.
|
||||||
|
# SHOW_PASSWORD_HINT=false
|
||||||
|
|
||||||
## Domain settings
|
## Domain settings
|
||||||
## The domain must match the address from where you access the server
|
## The domain must match the address from where you access the server
|
||||||
|
|
|
@ -388,9 +388,10 @@ make_config! {
|
||||||
/// Password iterations |> Number of server-side passwords hashing iterations.
|
/// Password iterations |> Number of server-side passwords hashing iterations.
|
||||||
/// The changes only apply when a user changes their password. Not recommended to lower the value
|
/// The changes only apply when a user changes their password. Not recommended to lower the value
|
||||||
password_iterations: i32, true, def, 100_000;
|
password_iterations: i32, true, def, 100_000;
|
||||||
/// Show password hints |> Controls if the password hint should be shown directly in the web page.
|
/// Show password hint |> Controls whether a password hint should be shown directly in the web page
|
||||||
/// Otherwise, if email is disabled, there is no way to see the password hint
|
/// if SMTP service is not configured. Not recommended for publicly-accessible instances as this
|
||||||
show_password_hint: bool, true, def, true;
|
/// provides unauthenticated access to potentially sensitive data.
|
||||||
|
show_password_hint: bool, true, def, false;
|
||||||
|
|
||||||
/// Admin page token |> The token used to authenticate in this very same page. Changing it here won't deauthorize the current session
|
/// Admin page token |> The token used to authenticate in this very same page. Changing it here won't deauthorize the current session
|
||||||
admin_token: Pass, true, option;
|
admin_token: Pass, true, option;
|
||||||
|
|
Laden …
In neuem Issue referenzieren