Sign in Register
Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Gavin Lyons 13 posts 71 karma points
    Nov 11, 2013 @ 14:58
    Gavin Lyons
    1

    Contour.CodeFirstExample Login stores in password clear text.

    Hi,

     

    I'm using Umbraco 4.11.8 with Contour 3.0.15 to create a Login Form.

    However I've noticed the login and password are being stored in clear text in the UFRecordDataString table.

    Is there anyway to prevent this ?

    I’ve tried the option StoreRecordsLocally=false but that does seem to effect it. I don't need the record stored at all in the database.

    Thanks,

    Gavin

     

    using System;
    

    using System.Collections.Generic;
    

    using Umbraco.Forms.CodeFirst;
    

    using Umbraco.Forms.Core.Providers.FieldTypes;
    

    using umbraco.cms.businesslogic.member;
    

     
    

    namespace Contour.CodeFirstExample
    

    {
    

        [Form("Member/Login", ShowValidationSummary = true, MessageOnSubmit ="You are now logged in")]
    

        public class Login: FormBase
    

        {
    

            [Field("Login", "",
    

               Mandatory = true,
    

               Regex = @"(\w[-._\w]*\w@\w[-._\w]*\w\.\w{2,3})")]
    

            public string Email { get; set; }
    

     
    

            [Field("Login", "",
    

                Type = typeof(Password),
    

                Mandatory = true)]
    

            public string Password { get; set; }
    

     
    

     
    

            public override IEnumerable<Exception> Validate()
    

            {
    

                var e = new List<Exception>();
    

     
    

                if(Member.GetMemberFromLoginName(Email) == null)
    

                    e.Add(new Exception("No member found with that email address"));
    

                else if (Member.GetMemberFromLoginNameAndPassword(Email, Password) == null)
    

                    e.Add(new Exception("Incorrect password"));
    

     
    

                return e;
    

            }
    

     
    

            public override void Submit()
    

            {
    

               var m = Member.GetMemberFromLoginNameAndPassword(Email, Password);
    

               if (m != null)
    

                   Member.AddMemberToCache(m);
    

            }
    

        }
    

    }
    Copy Link
  • Gavin Lyons 13 posts 71 karma points
    Nov 20, 2013 @ 10:52
    Gavin Lyons
    0

    No answer on this, maybe I'm doing something wrong or this is a serious security issue. Any ideas?

    Thanks,

    Gavin

    Copy Link

  • Comment author was deleted

    Nov 22, 2013 @ 11:36

    Yeah setting StoreRecordsLocally=false should prevent it from adding

    Might be a bug then, looking into it

    Copy Link
  • Gavin Lyons 13 posts 71 karma points
    Nov 22, 2013 @ 11:43
    Gavin Lyons
    1

    Hi Tim,

    Thank you for looking into this. I've a made a workaround using a workflow to clear out and mask the records.

    Gavin

    using System; using System.Collections.Generic; using System.Linq; using System.Web;

    using Umbraco.Forms.CodeFirst; using Umbraco.Forms.Core; using Umbraco.Forms.Core.Enums; using Umbraco.Forms.Core.Providers.FieldTypes; using Umbraco.Forms.Core.Providers; using Umbraco.Forms.Core.Providers.WorkflowTypes;

    using Umbraco.Forms.Data.Storage;

    namespace Application.Web.ContourExtended.WorkFlowType { [Workflow("Secure WorkFlow", FormState.Approved)] public class SecureWorkFlow : WorkflowBase { public override WorkflowType Type { get { return new Application.Web.ContourExtended.WorkFlowType.SecureSavedRecords { }; } } }

    public class SecureSavedRecords : Umbraco.Forms.Core.WorkflowType
{
    public SecureSavedRecords()
    {
        this.Name = "Delete Saved Records Workflow";
        this.Id = new Guid("D6A2C406-CF89-11DE-B075-55B055D85592");
        this.Description = "This will save an entry securely";
    }

    public override WorkflowExecutionStatus Execute(Umbraco.Forms.Core.Record record, RecordEventArgs e)
    {

            List<object> l = new List<object>();
            l.Add("XXXX");
            //we can then iterate through the fields
            foreach(var k in record.RecordFields.Keys){
                   record.RecordFields[k].Values = l;
                   System.Diagnostics.Debug.WriteLine("Record Value:" + record.RecordFields[k].ValuesAsString());
            }

            //If we altered a field, we can save it using the record storage 
            RecordStorage store = new RecordStorage();
            store.UpdateRecord(record, e.Form);
            store.UpdateRecordXml(record, e.Form);
            store.Dispose();
            System.Diagnostics.Debug.WriteLine("Record Updated.");



        /// This function below deletes passed stored Forms!!!!!
            var allEntries = Contour.Addons.DynamicObjects.Library.GetRecordsFromForm(e.Form.Id.ToString());
            if (allEntries.Items.Count() > 0)
            {
                Umbraco.Forms.Data.Storage.RecordStorage recordStorage = new Umbraco.Forms.Data.Storage.RecordStorage();
                foreach (var entry in allEntries.Items)
                {
                    if (record.Id != new Guid(entry.Id))
                    {
                        try
                        {
                            Record f = recordStorage.GetRecord(new Guid(entry.Id));
                            var r = new Umbraco.Forms.Core.Services.RecordService(f);
                            r.Delete();
                            System.Diagnostics.Debug.WriteLine("Form Records Deleted!");
                            r.Dispose();
                        }
                        catch
                        {
                            System.Diagnostics.Debug.WriteLine("Catch couldn't delete all records");
                        }
                    }
                }
                recordStorage.Dispose();
            }

        return WorkflowExecutionStatus.Completed;
    }


    public override List<Exception> ValidateSettings()
    {
      List<Exception> exceptions = new List<Exception>();           
      return exceptions;
    }

}

    }

    Copy Link

  • Comment author was deleted

    Nov 22, 2013 @ 11:46

    Ok :) but will make sure the StoreRecordsLocally does what it is supposed to do :)

    Copy Link

  • Comment author was deleted

    Nov 22, 2013 @ 11:50

    Issue here if you want to keep track of it http://issues.umbraco.org/issue/CON-480

    Copy Link

  • This forum is in read-only mode while we transition to the new forum.

    You can continue this topic on the new forum by tapping the "Continue discussion" link below.

Please Sign in or register to post replies