Opened 9 years ago

Closed 8 years ago

#9555 closed Bug Report (Fixed)

Insecure password handling by mythfilldatabase

Reported by: Marc Randolph <mrand@…> Owned by: beirdo
Priority: major Milestone: 0.25
Component: MythTV - Mythfilldatabase Version: 0.24-fixes
Severity: medium Keywords:
Cc: Ticket locked: no

Description

  1. It uses http (rather than https) in the wget command, so schedules direct password is being transmitted in the clear across the internet
  1. The schedules direct password is placed on the command line of the wget command, which potentially allows any user that shares that system can see the password in the clear

If these can't be fixed, perhaps a warning should be displayed on the schedules direct setup screen that these behaviors will be occuring so that the user can be forewarned.

Forwarding upstream from: https://bugs.launchpad.net/ubuntu/+source/mythtv/+bug/672895

Change History (3)

comment:1 Changed 9 years ago by stuartm

Owner: changed from stuartm to sphery
Priority: minormajor
Status: newassigned

comment:2 Changed 8 years ago by beirdo

Milestone: unknown0.25
Owner: changed from sphery to beirdo

The first part is due to how that connection works, and could require changing things with TMS. Don't count on it.

The second is now not an issue as we no longer use wget as of 8d4c63af57b51193fe72efed9cce781641a0becc on master. No further changes are expected for 0.24.

comment:3 Changed 8 years ago by beirdo

Resolution: Fixed
Status: assignedclosed
Note: See TracTickets for help on using tickets.