From 8d50def4129df925f82184c55f13ff323bb78965 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Tue, 20 Nov 2012 11:22:57 +0100
Subject: [PATCH] Sec: Do not init password by default when install pages are
 recalled

---
 htdocs/install/etape1.php   | 8 +++++++-
 htdocs/install/fileconf.php | 9 ++++++---
 2 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/htdocs/install/etape1.php b/htdocs/install/etape1.php
index 0d7a76067d1..992eeedb687 100644
--- a/htdocs/install/etape1.php
+++ b/htdocs/install/etape1.php
@@ -1,6 +1,6 @@
 <?php
 /* Copyright (C) 2004-2007 Rodolphe Quiedeville <rodolphe@quiedeville.org>
- * Copyright (C) 2004-2011 Laurent Destailleur  <eldy@users.sourceforge.net>
+ * Copyright (C) 2004-2012 Laurent Destailleur  <eldy@users.sourceforge.net>
  * Copyright (C) 2004      Benoit Mortier       <benoit.mortier@opensides.be>
  * Copyright (C) 2004      Sebastien Di Cintio  <sdicintio@ressource-toi.org>
  * Copyright (C) 2005-2011 Regis Houssin        <regis@dolibarr.fr>
@@ -52,6 +52,12 @@ $db_pass=GETPOST('db_pass');
 $db_port=GETPOST('db_port','int');
 $db_prefix=GETPOST('db_prefix','alpha');
 
+session_start();	// To be able to keep info into session (used for not loosing pass during navigation. pass must not transit throug parmaeters)
+
+// Save a flag to tell to restore input value if we do back
+$_SESSION['dol_save_pass']=$db_pass;
+//$_SESSION['dol_save_passroot']=$passroot;
+
 // Now we load forced value from install.forced.php file.
 $useforcedwizard=false;
 $forcedfile="./install.forced.php";
diff --git a/htdocs/install/fileconf.php b/htdocs/install/fileconf.php
index 2ba95dec92e..4cb44467761 100644
--- a/htdocs/install/fileconf.php
+++ b/htdocs/install/fileconf.php
@@ -69,6 +69,8 @@ if (@file_exists($forcedfile)) {
  *	View
  */
 
+session_start();	// To be able to keep info into session (used for not loosing pass during navigation. pass must not transit throug parmaeters)
+
 pHeader($langs->trans("ConfigurationFile"),"etape1","set","",(empty($force_dolibarr_js_JQUERY)?'':$force_dolibarr_js_JQUERY.'/'));
 
 // Test if we can run a first install process
@@ -407,7 +409,8 @@ if (! empty($force_install_message))
 		<td class="label" valign="top"><input type="text" id="db_pass" autocomplete="off"
 			name="db_pass"
 			value="<?php
-			$autofill=((! empty($dolibarr_main_db_pass))?$dolibarr_main_db_pass:$force_install_databasepass);
+			//$autofill=((! empty($dolibarr_main_db_pass))?$dolibarr_main_db_pass:$force_install_databasepass);
+			$autofill=((! empty($_SESSION['dol_save_pass']))?$_SESSION['dol_save_pass']:$force_install_databasepass);
 			if (! empty($dolibarr_main_prod)) $autofill='';
 			print dol_escape_htmltag($autofill);
 			?>"></td>
@@ -438,7 +441,7 @@ if (! empty($force_install_message))
 	</tr>
 
 	<tr class="hidesqlite hideroot">
-		<td class="label" valign="top"><?php echo $langs->trans("Login"); ?></td>
+		<td class="label" valign="top"><b><?php echo $langs->trans("Login"); ?></b></td>
 		<td class="label" valign="top"><input type="text" id="db_user_root"
 			name="db_user_root" class="needroot"
 			value="<?php print (! empty($db_user_root))?$db_user_root:$force_install_databaserootlogin; ?>"></td>
@@ -455,7 +458,7 @@ if (! empty($force_install_message))
 	</tr>
 
 	<tr class="hidesqlite hideroot">
-		<td class="label" valign="top"><?php echo $langs->trans("Password"); ?>
+		<td class="label" valign="top"><b><?php echo $langs->trans("Password"); ?></b>
 		</td>
 		<td class="label" valign="top"><input type="text" autocomplete="off"
 			id="db_pass_root" name="db_pass_root" class="needroot"