Closed Bug 650455 Opened 13 years ago Closed 12 years ago

Selecting Remember Password on a j_security_check logon Form auto sets the users username/password on other forms in an application with a similar username/password field.

Categories

(Toolkit :: Password Manager, defect)

Product:
Toolkit
Component:
Password Manager
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: jason-erwin, Unassigned)

Details

Attachments

(5 files)

Initial Login test case page
263 bytes, text/plain
Details
Main page after Login test case page
72 bytes, text/plain
Details
Add User test case page
267 bytes, text/plain
Details
login page.
525 bytes, text/plain
Details
verification page.
1018 bytes, text/plain
Details 
User-Agent:       Mozilla/5.0 (Windows NT 5.1; rv:2.0) Gecko/20100101 Firefox/4.0
Build Identifier: Mozilla/5.0 (Windows NT 5.1; rv:2.0) Gecko/20100101 Firefox/4.0

Hi,

I'm an app developer working on a Wicket J2EE application utilizing j_security_check. I have a j_security_check Logon form with the following standard j_security_check input fields:

<input id="j_username" type="text" name="j_username" />

<input id="j_password" type="password" name="j_password" />


I have another form in the application used for adding new Users. It contains the following username/password input fields:


<input type="text" value="" name="userName"/>

<input type="password" name="passwordTableRow:password"/>


When the logged in user hits the Add User form, the fields above are pre-populated with the logged in user's username/password.

This issue doesn't occur in IE 7.





Reproducible: Always

Steps to Reproduce:
1. Create an application with a login form with the following fields:

<input id="j_username" type="text" name="j_username" />

<input id="j_password" type="password" name="j_password" />
 
2. Create another form in the same application with the following fields:

<input type="text" value="" name="userName"/>

<input type="password" name="passwordTableRow:password"/>

3. 
Actual Results:  
The second forms input fields are pre-populated with the username/password from the first form.

Expected Results:  
The username/password input fields on the second form should be empty.
Version: unspecified → 4.0 Branch
Can you create a simple HTML testcase and attach it to this bug?
Hi,

Below is a test case:

Hit Login.html. Enter a UserName/Password. Select Remember my Password. Click Submit. Click the Add User Link. You will see the UserName from Login.html in the UserName field and the password set in the Password field.

Below are the files:

Login.html

<html>
<body>
	<form method="post" action="Main.html">
		UserName <input id="j_username" type="text" name="j_username" />
		Password <input id="j_password" type="password" name="j_password"/>
		<input type="submit" value="Login"/>
	</form>
</body>
</html>


Main.html

<html>
<body>
	<a href="AddUser.html">Add a User</a>
</body>
</html>


AddUser.html

<html>
<body>
Add a New User
	<form >
		UserName <input type="text" value="" name="userName" id="userName95"/>
		Password <input type="password"  value="" name="passwordTableRow:password"/>
		<input type="button" value="Add User"/>
	</form>
</body>
</html>
As asked in comment 1, can you please attach each of these as files to this bug? Its more helpful to have actual files to test than code in comments. Thank you.

    
    

    
  
This had been a relatively large problem for me.  The bug still exists in Firefox 11.  I've got a page to reset a password after a user types in a verification code.  The problem is that the password manager assumes the field before anything typed as password is the username.  So my verification code winds up getting filed in with the username, and not blank like it should be.  My "new password" field gets filled up with the old password.

This is just clearly wrong, and the password saving feature isn't being discriminating enough.  I've also created a test case that I'll attach.

    
    

    
  

      
      
      
      

        Attached file
          
        login page.
      

    


  
Page to use first and choose save password

    
    

    
  

      
      
      
      

        Attached file
          
        verification page.
      

    


  
Page that shows the username as being put in my verification code field, and password being put in my new password field.

    
    

    
  
Is there any way to get some activity from Mozilla on this bug?  Two people have posted test cases, and the bug has been around for at least a full year.  It'd be nice if it was assigned to a relevant person to at least investigate and see how feasible it is to fix.  I'd at least be nice to know someone is actually paying attention to these lists rather than it being a big black hole.

    
    

    
  
It's not a big black hole -- it's just that there is a lot of other work which takes priority over this issue and not enough developers. That said, it is not the responsibility of paid employees to fix every single bug. We are an open community encouraging volunteers to contribute fixes and patches. Firefox is what it is today because volunteers didn't wait for someone being paid by Mozilla to fix their issue.

    
    

    
  
I'm certainly willing to help, but the last time I checked out Firefox code it was quite a bear just to get to the compiling stage.  This was years ago, so perhaps things have changed.  Does Mozilla provide any guidance to developers to start fixing code?

    
    

    
  
https://developer.mozilla.org/ is the first place I would start. The second place would be to join the #developers and #firefox IRC channels irc.mozilla.org and ask for help.

    
    

    
  
(In reply to Vellmont from comment #12)
> I'm certainly willing to help, but the last time I checked out Firefox code
> it was quite a bear just to get to the compiling stage.  This was years ago,
> so perhaps things have changed.  Does Mozilla provide any guidance to
> developers to start fixing code?

Things are much better now, see https://developer.mozilla.org/en/Introduction and in particular https://developer.mozilla.org/En/Simple_build


(In reply to jason-erwin@sbcglobal.net from comment #0)

> 
> <input type="text" value="" name="userName"/>
> <input type="password" name="passwordTableRow:password"/>
> 
> 
> When the logged in user hits the Add User form, the fields above are
> pre-populated with the logged in user's username/password.

Correct. Password manager does not use the |name| attribute when filling in forms. Too many sites had different field names on different pages, which made it hard to use the password mananger. It's been that way since Firefox 3.0.


(In reply to Vellmont from comment #7)
> So my verification
> code winds up getting filed in with the username, and not blank like it
> should be.  My "new password" field gets filled up with the old password.

The solution to both of these problems is to add autocomplete="off" to the <input> or <form>. This will prevent the filling in of the "wrong" username/password, as well as saving the undesired/invalid "login" when that form is submitted.
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Component: Security → Password Manager
Product: Firefox → Toolkit
QA Contact: firefox → password.manager
Resolution: --- → INVALID
Version: 4.0 Branch → unspecified

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: