Prevent user passwords from appearing in stacktraces during password change when violating regex rules

XMLWordPrintable

    • 1

      Problem

      When a user changes their password to one that does not conform to Regex Password Rules, the error is not properly intercepted and is displayed on the user screen via a stack trace. This is a privacy risk as passwords are displayed both on screen and in stack traces in the server logs.

      Steps to Reproduce

      1. Created a password regex([A-Z]) for the Crowd directory
      2. Change the password to one that doesn't match the regex rule

      Expected Results

      Confluence provides a user-friendly error noting the mismatch between the user password and the Regex Rules, without displaying the user's password

      Actual Results

      Crowd displays a stack trace that includes the user password.

      Suggestion

      Display a more "user-friendly" error that clearly states the issue without displaying the password or remove the user password.

        1. changepassword.jpeg
          379 kB
          Robert Louie

            Assignee:
            Unassigned
            Reporter:
            Sushree Shailaja Satapathy
            Votes:
            3 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: