SessionProvider MySQL credentials are shown in the admin GUI as plaintext

[vpr-ossteam]

• Gitea version (or commit ref): 1.8.1
• Git version: 2.7.4
• Operating system: Ubuntu 16.04
• Database (use [x]):
  • PostgreSQL
  • MySQL
  • MSSQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)
  • No
  • Not relevant
• Log gist:

Description

Greetings!
I'm using Gitea 1.8.1 with MySQL 5.7. And if I'm using MySQL for session storing purposes, I can see the credentials in GUI as plaintext.

Steps to reproduce

1. Select MySQL like a sessions storage in the config file:

[session]
PROVIDER        = mysql
PROVIDER_CONFIG = someclient:somepassword@tcp(srv-mysql:3306)/someclient

2. Reload Gitea
3. Login in into Gitea with admin credentials
4. Follow this way: Site Administration ⇒ Configuration ⇒ Session Configuration ⇒ Provider Config

Screenshots

[markkrj]

I still can see the password. I'm on version 1.10.0.

Edit: Tested same config with 1.9.0 and also shows unmasked password.

[zeripath]

This was reFixed in #9002 and #8984

[markkrj]

@zeripath Well, now it shows nothing:

Running 1.10.0+10-gade5ec5aa

But still better than showing credentials.

[zeripath]

Do you have/get any logs?

[markkrj]

No errors or strange logs in console, just usual router logs... I have the default gitea.log. Tell me if you need more.