Closed Bug 1245503 Opened 9 years ago Closed 9 years ago

Don't allow empty passwords for logins (e.g. add or update time)

Categories

(Firefox for iOS :: Data Storage, defect)

Product:
Firefox for iOS
Component:
Data Storage
Platform:
All
iOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
fxios 2.0+ ---

People

(Reporter: MattN, Assigned: sleroux)

References

Details

Attachments

(1 file)

Link to Github pull-request: https://github.com/mozilla/firefox-ios/pull/1501
48 bytes, text/x-github-pull-request
rnewman
: review+
Details | Review
The new password management feature allows me to blank the password field. This should be disallowed like on other platforms as this violates assumptions that toolkit password manager has which is a problem due to sync even if the forked code isn't affected. IMO this should be enforced both in storage and at the UI level,
Flags: needinfo?(rnewman)
Blocks: 1210103
Sounds fair to me. Does this mean that we don't support empty passwords on desktop, or that we only support saving them (not editing)?
Flags: needinfo?(rnewman)
Hardware: Other → All
(In reply to Richard Newman [:rnewman] from comment #1) > Does this mean that we don't support empty passwords on desktop, or that we > only support saving them (not editing)? Sorry, I filed this from my phone so didn't was a bit terse and didn't provide links. We don't support logins with an empty password anywhere in toolkit code (which is also used by Android). This is enforced at the storage level. We really shouldn't ship as-is if they're going to end up getting synced to Desktop/Android. References: https://mxr.mozilla.org/mozilla-central/source/toolkit/components/passwordmgr/LoginHelper.jsm?rev=fcd050cd03e3#237 https://mxr.mozilla.org/mozilla-central/source/toolkit/components/passwordmgr/nsLoginManager.js?rev=f76692f0fcf8&mark=280-281#271
Summary: Don't allow blanking the password of a login → Don't allow empty passwords for logins (e.g. add or update time)
This sounds bad. I'll investigate.
Assignee: nobody → sleroux
Status: NEW → ASSIGNED
Actually wouldn't this require a new string to tell the user they can't have a blank password? If this is a blocker we could just cancel the submission. Not the greatest UX but if it prevents login chaos I can see it being justified until the next release.
(In reply to Matthew N. [:MattN] from comment #2) > We don't support logins with an empty password anywhere in toolkit code Huh, interesting. My reading of the RFCs suggests that Basic Auth allows an empty password; do we just not support saving that in Firefox, or am I misreading?
(In reply to Stephan Leroux [:sleroux] from comment #4) > Actually wouldn't this require a new string to tell the user they can't have > a blank password? If this is a blocker we could just cancel the submission. > Not the greatest UX but if it prevents login chaos I can see it being > justified until the next release. Just don't offer to save in the UI -- no prompt when browsing, no save button if editing -- if the string is empty. Then make the storage layer reject.
There's also the ability to edit the login from the new detail page. I'll add validation in there.
Does this also apply for usernames or is it just passwords?
(In reply to Stephan Leroux [:sleroux] from comment #8) > Does this also apply for usernames or is it just passwords? No, empty usernames are fine as long as they are an empty string (instead of null). It's common for sites to have login forms that don't require a username so we definitely want to support them. Take a look at the two links in comment 2 for other validation code. If you have some kind of form validation UI you could use that to indicate that the password field is invalid in the UI (e.g. http://grab.by/NQVA) to avoid a string. Either don't allow the user to leave that edit page (don't save) until correcting or have it revert to the old password upon leaving.
I'm going to move this up to 2.0 so its on our radar in Triage. Feel free to put it somewhere else if it doesn't belong there.
tracking-fxios: ?2.0+
Adding two reviewers since we're close to launch.
Attachment #8716314 - Flags: review?(rnewman)
Attachment #8716314 - Flags: review?(bnicholson)
Attachment #8716314 - Flags: review?(rnewman) → review+
master c72264407b08b760b9227f0751dd3fe9b16e2b0f
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → 2.0
Attachment #8716314 - Flags: review?(bnicholson)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: