Radarr: Connection password retrievable on edit.

Created on 10 Oct 2019  路  3Comments  路  Source: Radarr/Radarr

Describe the bug
When editing a connection, it is possible to retrieve the current password from the edit modal using javascript.

To Reproduce
Steps to reproduce the behavior:

  1. Go to Settings
  2. Go to Connect tab
  3. Edit an existing connection.
  4. Run for example: $("input.form-control[name='fields.3.value']").val() in the javascript console.
  5. See your password exposed.

Expected behavior
Password is not visible unless changes/manually filled out.

Desktop (please complete the following information):

  • Browser: Chrome
  • Version: 77.0.3865.90
  • Radarr version: 0.2.0.1358 with Mono 5.20.1.34

One of the possible solutions would be implementing OAuth2 (for Plex at least), like Sonarr has (at least in the new UI).

bug
Source
picture jipjan

All 3 comments

Issue-Label Bot is automatically applying the label bug to this issue, with a confidence of 0.92. Please mark this comment with :thumbsup: or :thumbsdown: to give our bot feedback!

Links: app homepage, dashboard and code for this bot.

issue-label-bot[bot] picture issue-label-bot[bot] on 10 Oct 2019
👍1

You can do this same thing in the new Sonarr UI, $("input[name='password']").val(). If you want to protect this info, use auth on your Sonarr/Radarr instance.

Qstick picture Qstick on 11 Oct 2019
👍1

I'm gonna close this, since it exists in Sonarr too. Maybe some day they'll get a security audit and a looking into, but I wouldn't expose any of this automation software. :)

fryfrog picture fryfrog on 15 Oct 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

danielb2 picture danielb2  路  3Comments
alpinewinter picture alpinewinter  路  3Comments
HitsvilleUK picture HitsvilleUK  路  3Comments
mattman86 picture mattman86  路  3Comments
Silent-Remux picture Silent-Remux  路  4Comments