[ticket/sec-184] Do not output LDAP password to HTML

SECURITY-184

phpBB/includes/acp/acp_board.php

@@ -567,6 +567,7 @@ class acp_board
 			$old_auth_config = array();
 			foreach ($auth_providers as $provider)
 			{
+				/** @var \phpbb\auth\provider\provider_interface $provider */
 				if ($fields = $provider->acp())
 				{
 					// Check if we need to create config fields for this plugin and save config when submit was pressed
@@ -582,6 +583,14 @@ class acp_board
 							continue;
 						}
 
+						if (substr($field, -9) === '_password' && $cfg_array[$field] === '********')
+						{
+							// Do not update password fields if the content is ********,
+							// because that is the password replacement we use to not
+							// send the password to the output
+							continue;
+						}
+
 						$old_auth_config[$field] = $this->new_config[$field];
 						$config_value = $cfg_array[$field];
 						$this->new_config[$field] = $config_value;

phpBB/phpbb/auth/provider/ldap.php

@@ -289,7 +289,6 @@ class ldap extends \phpbb\auth\provider\base
 	/**
 	 * {@inheritdoc}
 	 */
-
 	public function acp()
 	{
 		// These are fields required in the config table
@@ -308,7 +307,7 @@ class ldap extends \phpbb\auth\provider\base
 			'TEMPLATE_VARS'	=> array(
 				'AUTH_LDAP_BASE_DN'		=> $new_config['ldap_base_dn'],
 				'AUTH_LDAP_EMAIL'		=> $new_config['ldap_email'],
-				'AUTH_LDAP_PASSORD'		=> $new_config['ldap_password'],
+				'AUTH_LDAP_PASSORD'		=> $new_config['ldap_password'] !== '' ? '********' : '',
 				'AUTH_LDAP_PORT'		=> $new_config['ldap_port'],
 				'AUTH_LDAP_SERVER'		=> $new_config['ldap_server'],
 				'AUTH_LDAP_UID'			=> $new_config['ldap_uid'],