From 075cc4824a3f12aeb76ae2ee9523e66f05a32fe7 Mon Sep 17 00:00:00 2001
From: frytimo <tim@fusionpbx.com>
Date: Thu, 12 Dec 2024 13:03:21 -0400
Subject: [PATCH] Security, Use the same number of characters for the masked
 password (#7198)

* security set display asterisks to constant number
Harder to guess when length is also hidden
---
 core/default_settings/default_settings.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/default_settings/default_settings.php b/core/default_settings/default_settings.php
index 5c1f477daf..07c5b5939b 100644
--- a/core/default_settings/default_settings.php
+++ b/core/default_settings/default_settings.php
@@ -530,7 +530,7 @@
 				echo "		[...]\n";
 			}
 			else if ($subcategory == 'password' || substr_count($subcategory, '_password') > 0 || substr_count($subcategory, '_key') > 0 || substr_count($subcategory, '_secret') > 0) {
-				echo "		".str_repeat('*', strlen($row['default_setting_value'] ?? ''));
+				echo "		".str_repeat('*', 10);	//use the same number of characters to mask the password length
 			}
 			else if ($category == 'theme' && $subcategory == 'button_icons' && $name == 'text') {
 				echo "		".$text['option-button_icons_'.$row['default_setting_value']]."\n";