contourcodefirstexample login stores in password clear text - Contour

Gavin Lyons 13 posts 71 karma points

Nov 11, 2013 @ 14:58

Contour.CodeFirstExample Login stores in password clear text.

Contour

Hi,

I'm using Umbraco 4.11.8 with Contour 3.0.15 to create a Login Form.

However I've noticed the login and password are being stored in clear text in the UFRecordDataString table.

Is there anyway to prevent this ?

I’ve tried the option StoreRecordsLocally=false but that does seem to effect it. I don't need the record stored at all in the database.

Thanks,

Gavin

using System;
using System.Collections.Generic;
using Umbraco.Forms.CodeFirst;
using Umbraco.Forms.Core.Providers.FieldTypes;
using umbraco.cms.businesslogic.member;
 
namespace Contour.CodeFirstExample
{
    [Form("Member/Login", ShowValidationSummary = true, MessageOnSubmit ="You are now logged in")]
    public class Login: FormBase
    {
        [Field("Login", "",
           Mandatory = true,
           Regex = @"(\w[-._\w]*\w@\w[-._\w]*\w\.\w{2,3})")]
        public string Email { get; set; }
 
        [Field("Login", "",
            Type = typeof(Password),
            Mandatory = true)]
        public string Password { get; set; }
 
 
        public override IEnumerable<Exception> Validate()
        {
            var e = new List<Exception>();
 
            if(Member.GetMemberFromLoginName(Email) == null)
                e.Add(new Exception("No member found with that email address"));
            else if (Member.GetMemberFromLoginNameAndPassword(Email, Password) == null)
                e.Add(new Exception("Incorrect password"));
 
            return e;
        }
 
        public override void Submit()
        {
           var m = Member.GetMemberFromLoginNameAndPassword(Email, Password);
           if (m != null)
               Member.AddMemberToCache(m);
        }
    }
}

Copy Link

Gavin Lyons 13 posts 71 karma points

Nov 20, 2013 @ 10:52

No answer on this, maybe I'm doing something wrong or this is a serious security issue. Any ideas?

Thanks,

Gavin

Copy Link

Comment author was deleted

Nov 22, 2013 @ 11:36

Yeah setting StoreRecordsLocally=false should prevent it from adding

Might be a bug then, looking into it

Copy Link

Gavin Lyons 13 posts 71 karma points

Nov 22, 2013 @ 11:43

Hi Tim,

Thank you for looking into this. I've a made a workaround using a workflow to clear out and mask the records.

Gavin

using System; using System.Collections.Generic; using System.Linq; using System.Web;

using Umbraco.Forms.CodeFirst; using Umbraco.Forms.Core; using Umbraco.Forms.Core.Enums; using Umbraco.Forms.Core.Providers.FieldTypes; using Umbraco.Forms.Core.Providers; using Umbraco.Forms.Core.Providers.WorkflowTypes;

using Umbraco.Forms.Data.Storage;

namespace Application.Web.ContourExtended.WorkFlowType { [Workflow("Secure WorkFlow", FormState.Approved)] public class SecureWorkFlow : WorkflowBase { public override WorkflowType Type { get { return new Application.Web.ContourExtended.WorkFlowType.SecureSavedRecords { }; } } }

public class SecureSavedRecords : Umbraco.Forms.Core.WorkflowType
{
    public SecureSavedRecords()
    {
        this.Name = "Delete Saved Records Workflow";
        this.Id = new Guid("D6A2C406-CF89-11DE-B075-55B055D85592");
        this.Description = "This will save an entry securely";
    }

    public override WorkflowExecutionStatus Execute(Umbraco.Forms.Core.Record record, RecordEventArgs e)
    {

            List<object> l = new List<object>();
            l.Add("XXXX");
            //we can then iterate through the fields
            foreach(var k in record.RecordFields.Keys){
                   record.RecordFields[k].Values = l;
                   System.Diagnostics.Debug.WriteLine("Record Value:" + record.RecordFields[k].ValuesAsString());
            }

            //If we altered a field, we can save it using the record storage 
            RecordStorage store = new RecordStorage();
            store.UpdateRecord(record, e.Form);
            store.UpdateRecordXml(record, e.Form);
            store.Dispose();
            System.Diagnostics.Debug.WriteLine("Record Updated.");



        /// This function below deletes passed stored Forms!!!!!
            var allEntries = Contour.Addons.DynamicObjects.Library.GetRecordsFromForm(e.Form.Id.ToString());
            if (allEntries.Items.Count() > 0)
            {
                Umbraco.Forms.Data.Storage.RecordStorage recordStorage = new Umbraco.Forms.Data.Storage.RecordStorage();
                foreach (var entry in allEntries.Items)
                {
                    if (record.Id != new Guid(entry.Id))
                    {
                        try
                        {
                            Record f = recordStorage.GetRecord(new Guid(entry.Id));
                            var r = new Umbraco.Forms.Core.Services.RecordService(f);
                            r.Delete();
                            System.Diagnostics.Debug.WriteLine("Form Records Deleted!");
                            r.Dispose();
                        }
                        catch
                        {
                            System.Diagnostics.Debug.WriteLine("Catch couldn't delete all records");
                        }
                    }
                }
                recordStorage.Dispose();
            }

        return WorkflowExecutionStatus.Completed;
    }


    public override List<Exception> ValidateSettings()
    {
      List<Exception> exceptions = new List<Exception>();           
      return exceptions;
    }

}

}

Copy Link

Comment author was deleted

Nov 22, 2013 @ 11:46

Ok :) but will make sure the StoreRecordsLocally does what it is supposed to do :)

Copy Link

Comment author was deleted

Nov 22, 2013 @ 11:50

Issue here if you want to keep track of it http://issues.umbraco.org/issue/CON-480

Copy Link

is working on a reply...

Flag this post as spam?

Contour.CodeFirstExample Login stores in password clear text.