We're updating the issue view to help you get more done. 

when DBIdentityManager is configured, deny requests involving filters on password property

Description

clients can snoop passwords with requests having a filter on password property.

for instance, the following query checks if the password starts with a

1 GET /userbase/accounts?filter={"password":{"$regex":"a.*"}}

Environment

None

Status

Assignee

Andrea Di Cesare

Reporter

Andrea Di Cesare

Labels

None

Affects versions

3.3

Priority

Critical