Index: openacs-4/packages/acs-subsite/acs-subsite.info
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-subsite/acs-subsite.info,v
diff -u -r1.131.2.10 -r1.131.2.11
--- openacs-4/packages/acs-subsite/acs-subsite.info	22 Nov 2019 18:41:34 -0000	1.131.2.10
+++ openacs-4/packages/acs-subsite/acs-subsite.info	28 Nov 2019 11:06:31 -0000	1.131.2.11
@@ -9,7 +9,7 @@
     <implements-subsite-p>t</implements-subsite-p>
     <inherit-templates-p>t</inherit-templates-p>
 
-    <version name="5.10.0d17" url="http://openacs.org/repository/download/apm/acs-subsite-5.10.0d17.apm">
+    <version name="5.10.0d18" url="http://openacs.org/repository/download/apm/acs-subsite-5.10.0d18.apm">
         <owner url="http://openacs.org">OpenACS</owner>
         <summary>Subsite</summary>
         <release-date>2017-08-06</release-date>
@@ -18,11 +18,11 @@
         <license>GPL</license>
         <maturity>3</maturity>
 
-        <provides url="acs-subsite" version="5.10.0d17"/>
+        <provides url="acs-subsite" version="5.10.0d18"/>
         <requires url="acs-authentication" version="5.10.0d5"/>
         <requires url="acs-content-repository" version="5.9.1"/>
         <requires url="acs-kernel" version="5.9.1"/>
-        <requires url="acs-tcl" version="5.10.0d30"/>
+        <requires url="acs-tcl" version="5.10.0d31"/>
         <requires url="acs-lang" version="5.9.1"/>
         <requires url="acs-mail-lite" version="5.9.1"/>
 
Index: openacs-4/packages/acs-subsite/lib/user-new.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-subsite/lib/user-new.tcl,v
diff -u -r1.23 -r1.23.2.1
--- openacs-4/packages/acs-subsite/lib/user-new.tcl	30 Jun 2018 21:08:42 -0000	1.23
+++ openacs-4/packages/acs-subsite/lib/user-new.tcl	28 Nov 2019 11:06:31 -0000	1.23.2.1
@@ -182,9 +182,16 @@
 } -after_submit {
 
     if { $next_url ne "" } {
-        # Add user_id and account_message to the URL
-
-        ad_returnredirect [export_vars -base $next_url {user_id password {account_message $creation_info(account_message)}}]
+        #
+        # Add user_id and account_message to the URL, but do not pass
+        # password via query parameter. We have to make sure that
+        # $next_url tries to get the password from the client property
+        # as well.
+        #
+        security::set_client_property_password $password
+        ad_returnredirect [export_vars -base $next_url {
+            user_id {account_message $creation_info(account_message)}
+        }]
         ad_script_abort
     }
 
Index: openacs-4/packages/acs-tcl/acs-tcl.info
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-tcl/acs-tcl.info,v
diff -u -r1.95.2.7 -r1.95.2.8
--- openacs-4/packages/acs-tcl/acs-tcl.info	22 Nov 2019 18:41:34 -0000	1.95.2.7
+++ openacs-4/packages/acs-tcl/acs-tcl.info	28 Nov 2019 11:06:31 -0000	1.95.2.8
@@ -9,7 +9,7 @@
     <implements-subsite-p>f</implements-subsite-p>
     <inherit-templates-p>t</inherit-templates-p>
     
-    <version name="5.10.0d30" url="http://openacs.org/repository/download/apm/acs-tcl-5.10.0d30.apm">
+    <version name="5.10.0d31" url="http://openacs.org/repository/download/apm/acs-tcl-5.10.0d31.apm">
         <owner url="http://openacs.org">OpenACS</owner>
         <summary>The Kernel Tcl API library.</summary>
         <release-date>2017-08-06</release-date>
@@ -18,7 +18,7 @@
         <license>GPL version 2</license>
         <maturity>3</maturity>
 
-        <provides url="acs-tcl" version="5.10.0d30"/>
+        <provides url="acs-tcl" version="5.10.0d31"/>
         <requires url="acs-bootstrap-installer" version="5.10.0d6"/>
         <requires url="acs-kernel" version="5.10.0d0"/>
 
Index: openacs-4/packages/acs-tcl/tcl/security-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-tcl/tcl/security-procs.tcl,v
diff -u -r1.126.2.22 -r1.126.2.23
--- openacs-4/packages/acs-tcl/tcl/security-procs.tcl	16 Nov 2019 15:45:55 -0000	1.126.2.22
+++ openacs-4/packages/acs-tcl/tcl/security-procs.tcl	28 Nov 2019 11:06:31 -0000	1.126.2.23
@@ -1837,8 +1837,25 @@
     util_memoize_seed [list sec_lookup_property $session_id $module $name] [list $value $secure]
 }
 
+ad_proc -public security::set_client_property_password {password} {
+    
+    Convenience function for remembering user password as client property
+    rather than passing it as query parameter.
 
+    @see security::get_client_property_password   
+} {
+    ad_set_client_property -persistent f acs-admin user-password $password
+}
+ad_proc -public security::get_client_property_password {password} {
+    
+    Convenience function for retrieving user password from client property
 
+    @see security::set_client_property_password
+    
+} {
+    return [ad_get_client_property acs-admin user-password]
+}
+
 #####
 #
 # security namespace public procs
Index: openacs-4/packages/dotlrn/dotlrn.info
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/dotlrn/dotlrn.info,v
diff -u -r1.148.2.2 -r1.148.2.3
--- openacs-4/packages/dotlrn/dotlrn.info	17 May 2019 19:28:06 -0000	1.148.2.2
+++ openacs-4/packages/dotlrn/dotlrn.info	28 Nov 2019 11:06:31 -0000	1.148.2.3
@@ -7,17 +7,17 @@
     <initial-install-p>f</initial-install-p>
     <singleton-p>f</singleton-p>
     
-    <version name="2.10.0d5" url="http://openacs.org/repository/download/apm/dotlrn-2.10.0d5.apm">
+    <version name="2.10.0d6" url="http://openacs.org/repository/download/apm/dotlrn-2.10.0d6.apm">
         <owner url="http://openacs.org">OpenACS</owner>
         <summary>A Course Management System</summary>
         <release-date>2017-08-06</release-date>
         <vendor url="http://dotlrn.org">DotLRN Consortium</vendor>
 	<maturity>2</maturity>
         <description format="text/html">Course Management</description>
 
-        <provides url="dotlrn" version="2.10.0d5"/>
+        <provides url="dotlrn" version="2.10.0d6"/>
         <requires url="acs-kernel" version="5.9.1"/>
-	<requires url="acs-tcl" version="5.10.0d10"/>
+	<requires url="acs-tcl" version="5.10.0d31"/>
         <requires url="acs-subsite" version="5.9.1"/>
 	<requires url="acs-admin" version="5.10.0d8"/>
         <requires url="acs-mail-lite" version="5.9.1"/>
Index: openacs-4/packages/dotlrn/www/user-add-2.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/dotlrn/www/user-add-2.tcl,v
diff -u -r1.18 -r1.18.2.1
--- openacs-4/packages/dotlrn/www/user-add-2.tcl	29 Jun 2018 17:27:19 -0000	1.18
+++ openacs-4/packages/dotlrn/www/user-add-2.tcl	28 Nov 2019 11:06:32 -0000	1.18.2.1
@@ -68,7 +68,12 @@
     }
 }
 
-set redirect [export_vars -base user-add-2 {user_id password referer type can_browse_p read_private_data_p dotlrn_interactive_p add_membership_p}]
+if {[info exists password]} {
+    security::set_client_property_password $password
+}
+set redirect [export_vars -base user-add-2 {
+    user_id referer type can_browse_p read_private_data_p dotlrn_interactive_p add_membership_p
+}]
 if { $add_membership_p == "t" && $referer eq "/acs-admin/users" } {
     set redirect "one-community-admin"
 } else {